Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Removed Trojan.Vundo.H: Am I clean? (logs included) [RESOLVED]

Started by kasperbs , Sep 04 2008 05:43 AM

  • This topic is locked This topic is locked

#1
kasperbs
Posted 04 September 2008 - 05:43 AM

kasperbs

    Member

  • Member
  • PipPip
  • 32 posts
Hi I have followed the guideline posted in the "What to do before posting HIjackThis Logs thread. The scan seems to have removed the Trojan.Vundo.H infections and I can also turn on Automatic updates, which I couldn't before. If someone has the time I would appreciate if you could tell me if I'm clean now. The logs are pasted below - Thanks in advance

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:25:52, on 04-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Team MediaPortal\MediaPortal\MPTestTool2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BM2b77c70b] Rundll32.exe "C:\WINDOWS\system32\bmgtjgva.dll",s
O4 - HKCU\..\Run: [MediaPortal] C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: jtnsds.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: KLS Backup 2008 Professional Service (KLSBackup2008Pro) - KLS Soft - C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 4409 bytes


Malwarebytes' Log

Malwarebytes' Anti-Malware 1.26
Database version: 1112
Windows 5.1.2600 Service Pack 3

04-09-2008 13:17:01
mbam-log-2008-09-04 (13-17-01).txt

Scan type: Quick Scan
Objects scanned: 38701
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 22
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iiffGXNF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yaeqqfxg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvUOgGAT.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuoggat (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d6ed0464-df9e-4b5e-af52-fdc687230fc2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d6ed0464-df9e-4b5e-af52-fdc687230fc2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ab338d6-3592-4297-8408-03a30bc0006c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{9dc4f153-9410-46c2-98e4-e9063e927ab0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4efbf279-677d-4eb5-8aa5-368211376f5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f661ba6b-faf4-4165-a701-f65a7585ac91} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gksraemq.bswm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gksraemq.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iiffgxnf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iiffgxnf -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wvUOgGAT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iiffGXNF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\FNXGffii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FNXGffii.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebdfjmka.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akmjfdbe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcvkgddi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iddgkvcx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaeqqfxg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gxfqqeay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGATJde.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rarkxcog.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtiajhxa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tsmtojcf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdjipilh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2b77c70b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2b77c70b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\gksraemq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Uninstall List

Adobe Flash Player ActiveX
avast! Antivirus
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
IrfanView (remove only)
K-Lite Codec Pack 3.9.5 (Full)
KLS Backup 2008 Professional 4.0.0.1
Malwarebytes' Anti-Malware
MediaPortal
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
Mp3tag v2.41
NVIDIA Windows 2000/XP Display Drivers
Okoker Delete 1.0
PCI Audio Driver
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Spyware Terminator
UltraVNC v1.0.2
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6h
VobSub v2.23 (Remove Only)
Windows XP Service Pack 3
WinRAR archiver


  • 0

Advertisements

#2
Mike
Posted 04 September 2008 - 05:49 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there, I can help you remove Trojan.Vundo.H :)

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out :)
If you cannot complete a step in my instructions, please skip it and continue with the rest of my instructions and tell me in your next reply which one you were having trouble with.

Please temporarily disable Avast! and SpywareTerminator.
Take a look here for instructions http://www.bleepingc...opic114351.html

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
  • 0

#3
kasperbs
Posted 04 September 2008 - 09:47 AM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi and thanks for your quick response. I have followed your instructions and included the logs below for Trojan.Vundo.H.

ComboFix Log

ComboFix 08-09-03.06 - Rudolf 2008-09-04 17:33:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1081 [GMT 2:00]
Running from: C:\Documents and Settings\Rudolf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rudolf\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1013608126
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-104227137
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1070337227
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1147213745
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1448940889
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1489267361
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1510432680
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1585893909
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1586565907
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1611805563
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1720660854
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1735783957
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-1893854043
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-201818040
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-20340076
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2043781476
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2083673313
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2114726699
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2246143619
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2372407702
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2416609078
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2474300990
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2558014067
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2585151715
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2629425881
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-269180031
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2712804888
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2719999161
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2733573841
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2810285440
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2819047767
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2864025825
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2869056688
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2869408977
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2881994124
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2942679582
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-2979373905
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-307793303
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3105998311
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3113692955
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3115203218
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3129460498
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3131932252
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3136940768
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3146730451
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3180794346
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3310300172
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3325363279
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3370417966
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-340171306
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3410209574
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-365330939
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3657049529
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3712903604
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3776237774
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3801166436
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3841115114
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3888344508
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3930992674
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3950280689
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3956152062
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3973931783
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-3998084724
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4012606959
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4035748381
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4058891697
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4074156412
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4086154844
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4132244572
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4242206296
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-4244331773
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-44210969
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-446125470
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-507559956
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-550880310
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-551550153
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-55647648
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-601897392
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-705495393
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-725244836
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-750872152
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-863772392
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-884552767
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-900775278
C:\Documents and Settings\Rudolf\Local Settings\Temporary Internet Files\mpcache-948366137
C:\WINDOWS\BM2b77c70b.txt
C:\WINDOWS\BM2b77c70b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bmgtjgva.dll
C:\WINDOWS\system32\efjrxcor.dll
C:\WINDOWS\system32\fqnypgdp.dll
C:\WINDOWS\system32\gblovoke.dll
C:\WINDOWS\system32\guvzis.dll
C:\WINDOWS\system32\jlcynhyg.dll
C:\WINDOWS\system32\jtnsds.dll
C:\WINDOWS\system32\qdtgil.dll
C:\WINDOWS\system32\texucffb.dll
C:\WINDOWS\system32\wkqrukjw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 17:29 . 2008-09-04 17:29 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-09-04 17:29 . 2008-07-30 21:09 38 --a------ C:\WINDOWS\avisplitter.ini
2008-09-04 13:12 . 2008-09-04 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 13:12 . 2008-09-04 13:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-09-04 13:12 . 2008-09-04 13:12 <DIR> d-------- C:\Documents and Settings\Rudolf\Application Data\Malwarebytes
2008-09-04 13:12 . 2008-09-04 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-04 13:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-04 13:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-04 13:10 . 2008-09-04 13:10 <DIR> d-------- C:\Program Files\ERUNT
2008-09-04 13:05 . 2008-09-04 13:05 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-04 00:50 . 2008-09-04 00:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 00:36 . 2008-05-29 18:42 60,416 --a------ C:\WINDOWS\system32\antiwpa.dll22F24
2008-09-02 20:37 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-02 20:37 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-02 20:36 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-09-02 20:36 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-09-02 20:36 . 2008-04-14 02:09 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-09-02 20:36 . 2008-04-14 02:09 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-09-02 18:34 . 2008-09-02 18:34 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-02 18:34 . 2008-09-02 18:34 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-02 18:34 . 2008-09-02 18:34 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-02 18:34 . 2008-09-02 18:34 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-02 18:32 . 2008-09-02 18:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-26 03:51 . 2008-04-14 02:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-26 03:51 . 2008-04-14 02:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-26 03:51 . 2008-04-14 02:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-26 03:51 . 2008-04-14 02:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-26 03:49 . 2008-04-14 02:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-14 15:17 . 2008-04-11 21:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 23:27 --------- d-----w C:\Documents and Settings\Rudolf\Application Data\Spyware Terminator
2008-09-03 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-26 23:00 --------- d-----w C:\Program Files\Spyware Terminator
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-30 18:21 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaPortal"="C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe" [2008-04-18 1261568]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 59392]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-25 1817600]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"WinVNC"="C:\Program Files\UltraVNC\winvnc.exe" [2006-06-18 712704]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]
"C-Media Mixer"="Mixer.exe" [2002-10-15 C:\WINDOWS\mixer.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jtnsds.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-25 141312]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 KLSBackup2008Pro;KLS Backup 2008 Professional Service;C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe [2008-06-05 3437568]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 6016]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-07-29 424704]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-29 24288]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BM2b77c70b - C:\WINDOWS\system32\bmgtjgva.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Rudolf\Application Data\Mozilla\Firefox\Profiles\tfk0vksd.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 17:36:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
.
**************************************************************************
.
Completion time: 2008-09-04 17:42:25 - machine was rebooted [Rudolf]
ComboFix-quarantined-files.txt 2008-09-04 15:42:20

Pre-Run: 15,687,102,464 bytes free
Post-Run: 16,112,930,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2008-09-03 21:03:00


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44:28, on 04-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [MediaPortal] C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: jtnsds.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: KLS Backup 2008 Professional Service (KLSBackup2008Pro) - KLS Soft - C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 3761 bytes


  • 0

#4
Mike
Posted 04 September 2008 - 12:22 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Antiwpa is a crack to bypass windows validation, the file is present on your PC, although a bit different than normally.
Would you know where it came from? Unfortunately I'm going to have to drill you a bit to see if your windows is legal, please don't take this offensively.

Please run the MGA Diagnostic Tool and post back the report it shall produce:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
antiwpa

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

Post back with the above logs and a new Hijack This log.

Edited by Mike, 04 September 2008 - 12:25 PM.

  • 0

#5
kasperbs
Posted 04 September 2008 - 12:55 PM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi again and thanks for your reply. The AntiWPA came into the system via a file that I downloaded which should activate Windows after you had installed SP3. Unfortunately when I ran it, it kept coming up with virus warnings, and after I had deleted about 30 or so I just used ctr+alt+del to end the process and reboot. I think that is where the virus came in as well.

Anyway here is the logs

MGADiag

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Not Activated
Validation Code: 1
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-72GBT-R7XV7-M7Y4B
Windows Product Key Hash: 3KhIDso4n2BdNcPCWHfTTLv7czA=
Windows Product ID: 76487-OEM-2280405-14564
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.med
CSVLK Server: N/A
CSVLK PID: N/A
ID: {B28C57B6-CD98-4C65-BCC7-F1D62431384E}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_025D1FF3-179-2_025D1FF3-199-3
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_025D1FF3-179-2_025D1FF3-199-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B28C57B6-CD98-4C65-BCC7-F1D62431384E}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-M7Y4B</PKey><PID>76487-OEM-2280405-14564</PID><PIDType>3</PIDType><SID>S-1-5-21-1202660629-1500820517-839522115</SID><SYSTEM><Manufacturer>MEDIONPC</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20030307000000.000000+000</Date></BIOS><HWID>428A3B7F0184A073</HWID><UserLCID>0406</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Romance Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>


ReqSearchLlog

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 04-09-2008 20:49:12 for strings:
; 'antiwpa'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:49, on 04-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [MediaPortal] C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: jtnsds.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: KLS Backup 2008 Professional Service (KLSBackup2008Pro) - KLS Soft - C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 3708 bytes


  • 0

#6
Mike
Posted 04 September 2008 - 01:12 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi :)

Do you have a valid key for your OS? It's not activated yet and that makes me hesitant to help you.
A resource on windows activation: http://www.microsoft...e...g=en&pg=mpa

Right now I would like you to activate your windows, take a look here if you need instructions http://support.microsoft.com/kb/307890
If you don't have your windows key, you can contact Microsoft and request one for a small fee.

Re-run MGADiagnostic afterwards please.
  • 0

#7
Mike
Posted 04 September 2008 - 01:17 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I just got some feedback from the Admins here,
I will trust that you will legally activate windows since you learned your lesson from downloading the crack.

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O20 - AppInit_DLLs: jtnsds.dll

Now please close all open windows except HJT and press "Fix checked".

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):C:\windows\system32\jtnsds.dll
C:\WINDOWS\system32\antiwpa.dll22F24
After that, Reboot, and post a new HijackThis log here in a reply.

Then,

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Edited by Mike, 04 September 2008 - 01:25 PM.
Added instructions

  • 0

#8
kasperbs
Posted 04 September 2008 - 01:56 PM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Ok will now update java and run kaspersky scan. Here is the altest HijackThisLog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:11, on 04-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Team MediaPortal\MediaPortal\MPTestTool2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [MediaPortal] C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: KLS Backup 2008 Professional Service (KLSBackup2008Pro) - KLS Soft - C:\Program Files\KLS Soft\KLS Backup 2008 Professional\klsbservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 3835 bytes


  • 0

#9
Mike
Posted 04 September 2008 - 02:03 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I'll wait on your reply :)

I did add to delete this file in case you missed my edit
C:\WINDOWS\system32\antiwpa.dll22F24
  • 0

#10
kasperbs
Posted 04 September 2008 - 05:06 PM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yeah I did delete that file, here is the scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 19:25:14
Records in database: 1192110
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 46519
Threat name: 6
Infected objects: 64
Suspicious objects: 0
Duration of the scan: 00:34:23


File name / Threat name / Threats count
C:\Documents and Settings\Rudolf\My Documents\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\Rudolf\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
C:\Documents and Settings\Rudolf\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Documents and Settings\Rudolf\My Documents\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bmgtjgva.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fqnypgdp.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gblovoke.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\texucffb.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA0PQIRK.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA17UQHG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA1ISELG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA1NLP9Y.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA2860CI.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA2UY8GT.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA2XU6CW.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA3QEA00.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA3UBHKZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA49DBAC.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA4KFCAC.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA681LYO.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCABPKQTA.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCACRDUK1.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAGCS60T.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAGOUAPT.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAGPHTUY.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAHM3XK6.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAHNWOD7.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCALOTWAZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAM2ZM9L.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAN9WEN0.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCANLH1TG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCANXLGZN.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAO81SP4.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAP03FTP.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAP6TI0M.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAPU3CYU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAR9ICH2.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCARHAGNI.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCASEEZUU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCASZ3ADC.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAU8X8WE.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAVAQC0A.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAWIUX1F.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAXU5XN9.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCAZF8L0Q.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

The selected area was scanned.


P.S. Can you see if y AntiVirus Avast is running? The little icon in the tray has disappeared!

Edited by kasperbs, 05 September 2008 - 03:45 AM.

  • 0

Advertisements

#11
Mike
Posted 05 September 2008 - 04:11 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

How is your PC running now? If everything is OK we will go on to removing all those tools and do a final cleanup.
  • 0

#12
kasperbs
Posted 05 September 2008 - 05:06 AM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi and thanks, the PC seems to be running fine. Just a few questions:

What should I do about the infections that Kaspersky online scanner found?

Can you see if my Avast Antivirus is enabled? The tray icon has disappeared!

Thanks for all your help, it is much appreciated, can't stress that enough.
  • 0

#13
Mike
Posted 05 September 2008 - 06:38 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi :)

These here:

C:\Documents and Settings\Rudolf\My Documents\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\Rudolf\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
C:\Documents and Settings\Rudolf\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Documents and Settings\Rudolf\My Documents\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c1


Are not malicious, they are related to a remote admin program VNC.

These have been removed by ATFCleaner.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA0PQIRK.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA17UQHG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2T89CVMV\acCA1ISELG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
...


And the others are in quarantine which we will remove now.

Avast! is present in your log, start the program through Start > all programs > Avast! and that should get it back. If not maybe uninstall/reinstall it and everything should be fine.

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

MalwareBytes' Anti-Malware needs to be uninstalled manually through add or remove programs.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to avoid downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#14
kasperbs
Posted 05 September 2008 - 08:15 AM

kasperbs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Everything seems to be running fine now. I will uninstall and install Avast again to make it work. Thanks for all your help. Hopefully I wont need it again :)
  • 0

#15
Mike
Posted 05 September 2008 - 09:30 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
If you stay away from cracks you'll be pretty well off :)

Take care and have a great day still!

Mike
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP