Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde wont be gone [RESOLVED]


  • This topic is locked This topic is locked

#1
Segato

Segato

    Member

  • Member
  • PipPip
  • 12 posts
From VBG.txt

[08/01/2006, 12:04:37] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Sebbe\Skrivbord\VirtumundoBeGone.exe" )
[08/01/2006, 12:04:41] - Detected System Information:
[08/01/2006, 12:04:41] - Windows Version: 5.1.2600, Service Pack 2
[08/01/2006, 12:04:41] - Current Username: Sebbe (Admin)
[08/01/2006, 12:04:41] - Windows is in SAFE mode with Networking.
[08/01/2006, 12:04:41] - Searching for Browser Helper Objects:
[08/01/2006, 12:04:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/01/2006, 12:04:41] - BHO 2: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
[08/01/2006, 12:04:41] - BHO 3: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
[08/01/2006, 12:04:41] - BHO 4: {E8C21DDF-D6B9-4337-801D-38F94EBD8BC3} ()
[08/01/2006, 12:04:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/01/2006, 12:04:41] - Checking for HKLM\...\Winlogon\Notify\geeda
[08/01/2006, 12:04:41] - Found: HKLM\...\Winlogon\Notify\geeda - This is probably Virtumundo.
[08/01/2006, 12:04:41] - Assigning {E8C21DDF-D6B9-4337-801D-38F94EBD8BC3} MSEvents Object
[08/01/2006, 12:04:41] - BHO list has been changed! Starting over...
[08/01/2006, 12:04:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/01/2006, 12:04:41] - BHO 2: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
[08/01/2006, 12:04:41] - BHO 3: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
[08/01/2006, 12:04:41] - BHO 4: {E8C21DDF-D6B9-4337-801D-38F94EBD8BC3} (MSEvents Object)
[08/01/2006, 12:04:41] - ALERT: Found MSEvents Object!
[08/01/2006, 12:04:41] - Finished Searching Browser Helper Objects
[08/01/2006, 12:04:41] - *** Detected MSEvents Object
[08/01/2006, 12:04:41] - Trying to remove MSEvents Object...
[08/01/2006, 12:04:42] - Terminating Process: IEXPLORE.EXE
[08/01/2006, 12:04:43] - Terminating Process: RUNDLL32.EXE
[08/01/2006, 12:04:43] - Disabling Automatic Shell Restart
[08/01/2006, 12:04:43] - Terminating Process: EXPLORER.EXE
[08/01/2006, 12:04:43] - Suspending the NT Session Manager System Service
[08/01/2006, 12:04:43] - Terminating Windows NT Logon/Logoff Manager


HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:14:14, on 2006-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Norman\bin\ZLH.EXE
C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program\Sony\SONICS~1\SsAAD.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program\Evrsoft\1st Page 2000\Templates\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program\Evrsoft\1st Page 2000\Templates\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: ZyAIR G-220 Utility.lnk = C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe


Any suggestions?
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Go to where you saved Hijackthis.exe (C:\HJT) right click on Hijackthis.exe click rename, rename it to hjt.exe reopen it make a log then post it here in a reply...
  • 0

#3
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 20:03:00, on 2006-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Norman\bin\ZLH.EXE
C:\Norman\Npf\BIN\npfmsg2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ISS\BlackICE\blackice.exe
C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\HJT\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Segato pwnz IE !!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7EFECB2F-B539-45EC-B354-42C90AF29FB3} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program\ISS\BlackICE\blackice.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: ZyAIR G-220 Utility.lnk = C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe


  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
  • 0

#5
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
[quote]
VundoFix V6.0.2

Checking Java version...

Sun Java not detected
Scan started at 21:02:54 2006-08-18

Listing files found while scanning....

No infected files were found.


Beginning removal...
[/quote]
It didn´t find any files, but my Norman Virus Control picked up this:
[quote]Place: C:\WINDOWS\system32\geeda.dll
W32/Virtumonde.KR[/quote]

And when I click "close" in the Norman popup, it just appears again.[quote]

Edited by Segato, 18 August 2006 - 01:29 PM.

  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\geeda.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

  • 0

#7
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Your file (geeda.dll) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file.


Edited by Segato, 18 August 2006 - 01:36 PM.

  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Reboot and post a new Hijackthis log here in a reply...
  • 0

#9
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 16:43:21, on 2006-08-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\bin\ZLH.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program\ISS\BlackICE\blackice.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\ISS\BlackICE\rapapp.exe
C:\HJT\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Segato pwnz IE !!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7B38D8D2-B33A-4EF3-A002-76269FEEA875} - C:\WINDOWS\system32\geeda.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program\ISS\BlackICE\blackice.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: ZyAIR G-220 Utility.lnk = C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe


  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Can you delete your current version of Vundofix redownload it http://www.atribune..../click.php?id=4 and follow my instructions in my first post again and I need to see the log it makes this time...
  • 0

Advertisements


#11
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

VundoFix V6.1.0

Checking Java version...

Sun Java not detected
Scan started at 09:41:25 2006-08-20

Listing files found while scanning....

No infected files were found.


Beginning removal...


  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

  • 0

#13
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:25:26 2006-08-21

+ Scan result:



C:\WINDOWS\system32\geeda.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program\Tibia\Tibia Black Ice v0.1 version 2.2.exe -> Logger.KeyLogger.551 : Cleaned with backup (quarantined).
:mozilla.411:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.398:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adengage : Cleaned with backup (quarantined).
:mozilla.399:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adengage : Cleaned with backup (quarantined).
:mozilla.400:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adengage : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Adition : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Adition : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Adition : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Adition : Cleaned with backup (quarantined).
:mozilla.261:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.333:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.408:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.409:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.410:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.511:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.218:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.192:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.310:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.529:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.530:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.263:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Sebbe\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.413:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.414:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.415:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.473:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.474:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.475:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.476:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.210:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.494:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.196:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.388:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.286:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.287:C:\Documents and Settings\Sebbe\Application Data\Mozilla\Firefox\Profiles\m56oicl6.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end


  • 0

#14
therock247uk

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Ok post a new Hijackthis log here in a reply...
  • 0

#15
Segato

Segato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Logfile of HijackThis v1.99.1
Scan saved at 16:18:17, on 2006-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\ewido anti-spyware 4.0\guard.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\ISS\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\bin\ZLH.EXE
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Program\Sony\SONICS~1\SsAAD.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\bin\NJEEVES.EXE
C:\Program\ISS\BlackICE\blackice.exe
C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Segato pwnz IE !!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: (no name) - {CFAB739D-856B-4B2A-8A88-5CFC2A82FDDC} - C:\WINDOWS\system32\geeda.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program\ISS\BlackICE\blackice.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: ZyAIR G-220 Utility.lnk = C:\Program\ZyAIR G-220 Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe


And ewido anti-spyware detects geeda.dll all the time, but it seems like it cant clean it.

Edited by Segato, 22 August 2006 - 08:20 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP