Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo.b


  • Please log in to reply
3 replies to this topic

#1 liloo4

liloo4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 October 2005 - 05:15 PM

I have tried to follow the guidelines to get rid of Tojan.Vundo.B.
Each time I reboot, it is still there and my computer is not running slowly.
Here is the most recent HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:47:12, on 25/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\ipconfg32.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\winupdmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synapse Développement\Synapse Update\Synapse Update.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Cordial\DLL_32\Integration de Cordial dans Outlook Express.exe
C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Alex\Bureau\Utilitaires\Antivirus\HijackThis.exe
C:\Program Files\Windows Media Player\wmplayer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\AppPatch\apsrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Care2GTU] javaw -cp "C:\Program Files\Care2GTU\System\Code" Main lp: "C:\Program Files\Care2GTU"
O4 - HKLM\..\Run: [SynapseUpdate] C:\Program Files\Synapse Développement\Synapse Update\Synapse Update.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\Run: [Microsoft Update] wininit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wininit.exe
O4 - HKLM\..\RunServices: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
O4 - Global Startup: Intégration de Cordial dans Outlook Express.lnk = C:\Program Files\Cordial\DLL_32\Integration de Cordial dans Outlook Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstallerFree.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lv6609jse.dll
O20 - Winlogon Notify: apsrv - C:\WINDOWS\AppPatch\apsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Fonction Commande à distance de Client Access Express (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: IpManager (IPtable) - Unknown owner - C:\WINDOWS\ipconfg32.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Update - Unknown owner - C:\WINDOWS\system32\winupdmon.exe

Edited by liloo4, 25 October 2005 - 05:06 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2005 - 04:13 AM

Hi liloo4 and Welcome to the Bleeping Computer!


I need to see a couple of files from your system please!

Please Download Submit Files Packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\ipconfg32.exe
C:\WINDOWS\system32\winupdmon.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate these entries

IpManager
Windows Update


Right Click each entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\AppPatch\apsrv.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\AppPatch\vrspa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\AppPatch\apsrv.dll

    O20 - Winlogon Notify: apsrv - C:\WINDOWS\AppPatch\apsrv.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3 liloo4

liloo4
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 27 October 2005 - 02:17 AM

Hi liloo4 and Welcome to the Bleeping Computer!


I need to see a couple of files from your system please!

Please Download Submit Files Packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\ipconfg32.exe
C:\WINDOWS\system32\winupdmon.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate these entries

IpManager
Windows Update


Right Click each entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files

  • This will create a VundoFix folder on your desktop.

  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.


  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\AppPatch\apsrv.dll
  • Press Enter to continue with the fix.


  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\AppPatch\vrspa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.

  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.

  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\AppPatch\apsrv.dll

    O20 - Winlogon Notify: apsrv - C:\WINDOWS\AppPatch\apsrv.dll
  • After you have fixed these items, close Hijackthis.

  • Press enter to exit the program then manually reboot your computer.

  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins

  • Delete Cookies

  • Delete Prefetch files

  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.


Hi Cretemonster,

Thank you for your assistance. I followed precisely the procedure. I encountered several issues : in safe mode, I did not have access to any icons on my desktop. Scary... I manually reboot it until in regular mode I got back the usual desktop.

Also, at the end, Active Scan did not want to run. So I ran Norton instead. It says there is one threat left : trojan.vundo.b. Itis still there, can not be deleted nor quarantine. It is located in the master boot record and the boot record. Also, I turned back on the IPManager and Windows Update.

Here is the latest HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 09:02:03, on 27/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\ipconfg32.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synapse Développement\Synapse Update\Synapse Update.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\GuruNet\GuruNet.exe
C:\Program Files\Cordial\DLL_32\Integration de Cordial dans Outlook Express.exe
C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
C:\PROGRA~1\FICHIE~1\ATOMIC~1\agtserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Alex\Bureau\Utilitaires\Antivirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\AppPatch\apsrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Care2GTU] javaw -cp "C:\Program Files\Care2GTU\System\Code" Main lp: "C:\Program Files\Care2GTU"
O4 - HKLM\..\Run: [SynapseUpdate] C:\Program Files\Synapse Développement\Synapse Update\Synapse Update.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\Run: [Microsoft Update] wininit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wininit.exe
O4 - HKLM\..\RunServices: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
O4 - Global Startup: Intégration de Cordial dans Outlook Express.lnk = C:\Program Files\Cordial\DLL_32\Integration de Cordial dans Outlook Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstallerFree.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: apsrv - C:\WINDOWS\AppPatch\apsrv.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\c4000edmeh0a0.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Fonction Commande à distance de Client Access Express (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: IpManager (IPtable) - Unknown owner - C:\WINDOWS\ipconfg32.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Update - Unknown owner - C:\WINDOWS\system32\winupdmon.exe


:thumbsup:

Edited by liloo4, 27 October 2005 - 02:19 AM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2005 - 03:52 AM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • On the left side,Click Options,Click Sweep Options,Make sure there is a check by "Sweep for Rootkits"
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Once that Scan is Completed,Download the L2mfix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users