Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo & Conhook and ?


  • Please log in to reply

#1
Funk606

Funk606

    Member

  • Member
  • PipPip
  • 11 posts
Hey,i did DL a program 2 days ago,i did have a bad fealing abaut running one of em,and after i did run it i keep getting all kinda dif. varning that i got spyware and virus and what ever,i did install a new antivirus (Norton 2006) it did clean op some of my virus,i tryed Vundofix.exe hijack and spyeraser and Spybot ,i did use hijack and was in msconfig to try and stop some unvanted programs from running,used hijack to delete even more,and Vundofix to clean b4 and after i go to safemode,but i keep getting popups when i use IE explore,i hope u can help me. MVH Jens Peter Funk

here is my hijack log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:27:15, on 23-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmer\Fælles filer\Teleca Shared\Generic.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmer\Internet Explorer\iexplore.exe
H:\Temp Download\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C82097C-73A4-492F-BF51-A8E6745B631F} - C:\WINDOWS\system32\ddccc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Programmer\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D2A0728D-AB2F-4B91-9EEF-590C70EA075D} - C:\WINDOWS\system32\byxxvsr.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programmer\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmer\Fælles filer\Symantec Shared\SymProbe.exe -r "C:\Programmer\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f010.mail.jub...ileUploader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.dans...B/e-Safekey.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programmer\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: byxxvsr - C:\WINDOWS\SYSTEM32\byxxvsr.dll
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: pmnnlig - pmnnlig.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9535 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#3
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I already used fixvundo.exe + vundofix.exe and killvundo.bat been in safe mode 10times+,used norton to kill i dont know how many files,it seem evrytime i use Internet explore,i get pop ups,and norton will detect new virus/trojans+ dll files + infostealers, not sure this was my last scan with fixvundo,but here are my logs,hopåe u can help me,im starting to think a format and new os is my only way of getting rip of it :whistling: MVH J.P.Funk

Symantec Trojan.Vundo Removal Tool 1.5.0
The process "iexplore.exe" might be affected by the threat. It has been suspended.
The process "iexplore.exe" might be affected by the threat. It has been terminated.


The scanning procedure was cancelled.


Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 3834
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 0

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:53:50, on 23-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmer\Fælles filer\Teleca Shared\CapabilityManager.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programmer\Fælles filer\Teleca Shared\Generic.exe
C:\Programmer\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Skrivebord\VundoFix\VundoFix\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B98F528-751E-4191-A3C9-CE99B51B3F34} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Programmer\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D2A0728D-AB2F-4B91-9EEF-590C70EA075D} - C:\WINDOWS\system32\ddcayaa.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programmer\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmer\Fælles filer\Symantec Shared\SymProbe.exe -r "C:\Programmer\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\bifgoaxp.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f010.mail.jub...ileUploader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.dans...B/e-Safekey.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programmer\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: ddcayaa - C:\WINDOWS\SYSTEM32\ddcayaa.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9046 bytes
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :help:

Don't reformat because of this, we will clean it up :blink:

I dont know what vundo fix log you posted :whistling: Looks like symantecs.

Lets go this route

Please download ComboFix and save it to your desktop.Please make sure you put it on your desktop or the next step wont work

Next click Start >>> Run

In the white run box please copy and paste everything in bold below into the run box and click OK

"%userprofile%\desktop\combofix.exe" /v ddcayaa

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok,will try and dl that file and try it when i get home,atm at a x gf place,just wanted to say thanks for taking the time to helping me,know i could "just" format and reinstall xp,but with 6 programs to burn cd/dvd,10 or more daemon tools,3 media players,win rar/winace/winzip..blablabla,u know how it is,forgot to update my ghost images,grrr,anyways,thanks,will post new logs after i tryed that new program.
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK sounds good. :whistling:
  • 0

#7
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
could not get it to run by copy/pasting that link,but i just ran it manual?!? this is the log i got,and btw,i just tryed to use internet explore,and im still getting popup´s

"Administrator" - 07-03-24 16:21:11 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Administrator\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bund1\a6.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\install.log
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\bund1


((((((((((((((((((((((((((((((( Files Created from 2007-02-24 to 2007-03-24 ))))))))))))))))))))))))))))))))))


2007-03-24 16:16 438,432 ---hs---- C:\WINDOWS\system32\utstv.ini2
2007-03-24 16:11 26,697 --a------ C:\WINDOWS\system32\ljjigdc.dll
2007-03-23 17:44 436,876 ---hs---- C:\WINDOWS\system32\utstv.bak1
2007-03-23 17:43 280,676 ---hs---- C:\WINDOWS\system32\vtstu.dll
2007-03-23 17:38 26,725 --a------ C:\WINDOWS\system32\ljjjkhf.dll
2007-03-23 17:29 26,697 --a------ C:\WINDOWS\system32\gebcayv.dll
2007-03-23 16:50 26,697 --a------ C:\WINDOWS\system32\fccaxwv.dll
2007-03-23 16:28 26,697 --a------ C:\WINDOWS\system32\tuvvvut.dll
2007-03-23 16:22 123,972 --a------ C:\WINDOWS\system32\bifgoaxp.dll
2007-03-23 16:05 26,697 --a------ C:\WINDOWS\system32\ddcayaa.dll
2007-03-23 11:15 26,697 --a------ C:\WINDOWS\system32\ssqromm.dll
2007-03-23 04:07 437,729 ---hs---- C:\WINDOWS\system32\cccdd.bak1
2007-03-23 04:07 123,972 --a------ C:\WINDOWS\system32\vuplegcp.dll
2007-03-23 01:06 280,676 --a------ C:\WINDOWS\system32\ddabx.dll
2007-03-23 00:06 280,676 --a------ C:\WINDOWS\system32\ddayv.dll
2007-03-22 23:06 280,676 --a------ C:\WINDOWS\system32\geebc.dll
2007-03-22 23:06 280,676 --a------ C:\WINDOWS\system32\gebyx.dll
2007-03-22 21:02 280,676 --a------ C:\WINDOWS\system32\ddcyv.dll
2007-03-22 19:02 280,676 --a------ C:\WINDOWS\system32\mljgd.dll
2007-03-22 18:25 280,676 --a------ C:\WINDOWS\system32\ddcyy.dll
2007-03-22 18:19 <DIR> d-------- C:\Programmer\HJT
2007-03-22 18:18 280,676 --a------ C:\WINDOWS\system32\vtsqo.dll
2007-03-22 18:18 280,676 --a------ C:\WINDOWS\system32\ssqrp.dll
2007-03-22 18:13 26,697 --a------ C:\WINDOWS\system32\tuvwwvv.dll
2007-03-22 18:00 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:48 26,697 --a------ C:\WINDOWS\system32\xxyvspp.dll
2007-03-22 17:40 26,697 --a------ C:\WINDOWS\system32\pmnnlli.dll
2007-03-22 17:26 26,697 --a------ C:\WINDOWS\system32\xxywwwx.dll
2007-03-22 17:14 26,697 --a------ C:\WINDOWS\system32\cbxxvvu.dll
2007-03-22 17:08 26,697 --a------ C:\WINDOWS\system32\opnlkjh.dll
2007-03-22 16:01 26,697 --a------ C:\WINDOWS\system32\fccyyyv.dll
2007-03-22 15:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-22 15:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-03-22 14:59 <DIR> d-------- C:\Programmer\Uniblue
2007-03-22 14:39 26,697 --a------ C:\WINDOWS\system32\ddcywuv.dll
2007-03-22 13:49 26,697 --a------ C:\WINDOWS\system32\opnmkkl.dll
2007-03-22 13:26 26,697 --a------ C:\WINDOWS\system32\jkkkifg.dll
2007-03-22 13:14 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-22 13:14 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-03-22 13:14 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-03-22 13:14 <DIR> d-------- C:\Programmer\Norton AntiVirus
2007-03-22 13:01 26,697 --a------ C:\WINDOWS\system32\xxyvutt.dll
2007-03-22 12:34 26,697 --a------ C:\WINDOWS\system32\hggggfc.dll
2007-03-22 12:16 26,697 --a------ C:\WINDOWS\system32\opnljjh.dll
2007-03-20 14:12 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-03-20 14:12 <DIR> d-------- C:\Programmer\AGEIA Technologies
2007-03-16 20:13 <DIR> d-------- C:\Programmer\MSN Messenger
2007-03-16 18:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-03-13 21:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GetRightToGo
2007-03-12 14:07 <DIR> d-------- C:\Programmer\DAEMON Tools
2007-03-12 13:29 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-03-12 13:29 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-03-12 13:29 <DIR> d-------- C:\Programmer\OpenAL
2007-03-10 17:25 <DIR> d-------- C:\WINDOWS\system32\BattleHQ
2007-03-10 17:20 <DIR> d-------- C:\WINDOWS\Close Combat Cross of Iron
2007-03-08 19:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ascaron Entertainment
2007-03-07 22:14 <DIR> d-------- C:\Programmer\DFX
2007-03-07 22:13 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-03-07 22:13 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-07 22:13 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-03-07 22:13 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-03-07 22:12 <DIR> d-------- C:\Programmer\Winamp
2007-03-05 09:18 <DIR> d-------- C:\Programmer\Disc2Phone
2007-03-05 09:12 85,408 -ra------ C:\WINDOWS\system32\drivers\w810mgmt.sys
2007-03-05 09:12 83,344 -ra------ C:\WINDOWS\system32\drivers\w810obex.sys
2007-03-05 09:11 94,064 -ra------ C:\WINDOWS\system32\drivers\w810mdm.sys
2007-03-05 09:11 8,336 -ra------ C:\WINDOWS\system32\drivers\w810mdfl.sys
2007-03-05 09:11 6,176 -ra------ C:\WINDOWS\system32\drivers\w810cmnt.sys
2007-03-05 09:11 6,176 -ra------ C:\WINDOWS\system32\drivers\w810cm.sys
2007-03-05 09:11 58,288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys
2007-03-05 09:11 5,808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys
2007-03-05 09:11 5,808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys
2007-03-05 08:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Teleca
2007-03-05 08:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sony Ericsson
2007-03-05 08:56 <DIR> d-------- C:\Programmer\Sony Ericsson
2007-03-05 08:56 <DIR> d-------- C:\Programmer\F‘lles filer\Teleca Shared
2007-03-05 08:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Documents
2007-03-05 08:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
2007-03-05 08:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-03-04 14:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TeamViewer
2007-03-04 14:57 206,648 --a------ C:\DOCUME~1\ADMINI~1\DynGate_Setup.exe
2007-03-04 14:57 <DIR> d-------- C:\Programmer\DynGate
2007-03-04 14:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\temp
2007-03-02 21:31 <DIR> d-------- C:\temp
2007-03-02 21:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Media Center Programs
2007-03-02 20:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-02-24 12:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-02-24 12:54 <DIR> d-------- C:\Programmer\uTorrent
2007-02-24 01:26 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 22:18 -------- d-------- C:\Programmer\teamspeak2_rc2
2007-03-22 15:12 -------- d--h----- C:\Programmer\installshield installation information
2007-03-22 15:10 -------- d-------- C:\Programmer\F‘lles filer\wise installation wizard
2007-03-22 15:06 -------- d-------- C:\Programmer\F‘lles filer\symantec shared
2007-03-22 13:35 -------- d-------- C:\Programmer\symantec
2007-03-14 20:29 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
2007-03-12 14:00 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-10 17:29 73364 --a------ C:\WINDOWS\system32\perfc006.dat
2007-03-10 17:29 414976 --a------ C:\WINDOWS\system32\perfh006.dat
2007-03-07 15:17 -------- d-------- C:\Programmer\nbpro
2007-03-07 15:04 -------- d-------- C:\Programmer\dc++
2007-02-16 16:54 -------- d-------- C:\Programmer\java
2007-02-12 17:22 538256 --a------ C:\WINDOWS\system32\symneti.dll
2007-02-12 17:22 31888 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-02-12 17:22 28304 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-02-12 17:22 24720 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-02-12 17:22 196752 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-02-12 17:22 161424 --a------ C:\WINDOWS\system32\symredir.dll
2007-02-12 17:22 12944 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-02-12 17:22 110736 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-02-01 18:43 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\my games
2007-02-01 13:39 -------- d-------- C:\Programmer\curerom
2007-01-27 20:15 21840 --a------ C:\WINDOWS\system32\sintfnt.dll
2007-01-27 20:15 17212 --a------ C:\WINDOWS\system32\sintf32.dll
2007-01-27 20:15 12067 --a------ C:\WINDOWS\system32\sintf16.dll
2007-01-27 17:59 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\petroglyph
2007-01-24 01:14 -------- d-------- C:\Programmer\videolan
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LDM"="C:\\Programmer\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Sony Ericsson PC Suite"="\"C:\\Programmer\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"NAV CfgWiz"="C:\\Programmer\\Fælles filer\\Symantec Shared\\SymProbe.exe -r \"C:\\Programmer\\Norton AntiVirus\\CfgWiz.exe\" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE \"REBOOT\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\bifgoaxp.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menuen Start^Programmer^Start^Sid Registration.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Menuen Start\\Programmer\\Start\\Sid Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\Sid Registration.lnkStartup"
"location"="Startup"
"command"="D:\\ATR1.exe /remind /language=DAN /PRNM=\"Sid\"/PRMP=\"PIRS\"/SKUN=\"PCXX\"/GTYP=\"STRY\""
"item"="Sid Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^LG SyncManager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\LG SyncManager.lnk"
"backup"="C:\\WINDOWS\\pss\\LG SyncManager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LGPCSU~1\\LGPCSY~1\\LGSYNC~1.EXE "
"item"="LG SyncManager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^VIA RAID TOOL.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\VIA RAID TOOL.lnk"
"backup"="C:\\WINDOWS\\pss\\VIA RAID TOOL.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VIA\\RAID\\RAID_T~1.EXE "
"item"="VIA RAID TOOL"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Anti-Blaxx"
"hkey"="HKLM"
"command"="C:\\Programmer\\Anti-Blaxx\\Anti-Blaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsusProb"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Programmer\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Programmer\\Fælles filer\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C46 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I0T1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P23 \"EPSON Stylus C46 Series\" /O6 \"USB001\" /M \"Stylus C46\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgcmd"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\FLLESF~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\Fælles filer\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Programmer\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Programmer\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LAUNCH~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PcSync2"
"hkey"="HKCU"
"command"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vuplegcp"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\vuplegcp.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Programmer\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Programmer\\Winamp\\winampa.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}"=""
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"_NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayaa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkhf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
bthsvcs REG_MULTI_SZ BthServ\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{072f6452-4695-11da-9d04-806d6172696f}]
Shell\AutoRun\command G:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{29238fb2-7554-11da-9284-806d6172696f}]
Shell\AutoRun\command E:\Autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e2ec166-7ecd-11da-b1ca-806d6172696f}]
Shell\AutoRun\command G:\kochstart\kochstart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3387ea6a-3966-11da-ae07-806d6172696f}]
Shell\AutoRun\command G:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{49e5964a-2868-11da-a752-0013d46f36cd}]
Shell\AutoRun\command G:\launcher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d41e0fe-7614-11da-80cd-806d6172696f}]
Shell\AutoRun\command D:\SETUP.EXE 517

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{957c8a80-675d-11da-9280-806d6172696f}]
Shell\AutoRun\command D:\LaunchBFII.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9fd0ee34-64bc-11da-9ccd-806d6172696f}]
Shell\AutoRun\command G:\kochstart\kochstart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a74f5668-8ccc-11da-b888-806d6172696f}]
Shell\AutoRun\command D:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b105d06a-35dd-11da-8c7f-806d6172696f}]
Shell\AutoRun\command G:\launcher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b56a92d1-626d-11da-b1a0-806d6172696f}]
Shell\AutoRun\command F:\AutoRun.exe --autorun
Shell\autorun_0\command F:\AutoRun.exe
Shell\autorun_1\command F:\Gothic2-Setup.exe
Shell\autorun_2\command notepad ReadMe.txt

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cc826782-4307-11da-b68b-0013d46f36cd}]
Shell\AutoRun\command D:\T-72.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5c4986a-37d5-11da-8b97-806d6172696f}]
Shell\AutoRun\command G:\launcher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc131306-5218-11da-8595-806d6172696f}]
Shell\AutoRun\command G:\kochstart\kochstart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f743169e-40fc-11da-9008-806d6172696f}]
Shell\AutoRun\command G:\autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Administrator.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-24 16:25:42
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard (including and starting with "files to delete") by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\ljjigdc.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\ljjjkhf.dll
C:\WINDOWS\system32\gebcayv.dll
C:\WINDOWS\system32\fccaxwv.dll
C:\WINDOWS\system32\tuvvvut.dll
C:\WINDOWS\system32\bifgoaxp.dll
C:\WINDOWS\system32\ddcayaa.dll
C:\WINDOWS\system32\ssqromm.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\vuplegcp.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\tuvwwvv.dll
C:\WINDOWS\system32\xxyvspp.dll
C:\WINDOWS\system32\pmnnlli.dll
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\cbxxvvu.dll
C:\WINDOWS\system32\opnlkjh.dll
C:\WINDOWS\system32\fccyyyv.dll
C:\WINDOWS\system32\ddcywuv.dll
C:\WINDOWS\system32\opnmkkl.dll
C:\WINDOWS\system32\jkkkifg.dll
C:\WINDOWS\system32\xxyvutt.dll
C:\WINDOWS\system32\hggggfc.dll
C:\WINDOWS\system32\opnljjh.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayaa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkhf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B98F528-751E-4191-A3C9-CE99B51B3F34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B98F528-751E-4191-A3C9-CE99B51B3F34}
registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | SoundService


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#9
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
i ran avenger and the script,but after reboot,norton pick up new files/virus/blabla,i must admit im at the format & new os point now,did just want 2 say thanks for using time trying to save my os :whistling:
MVH. J.P.Funk Denmark.
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Can you post the Avenger.txt please. If you ran the program correctly your problem should be gone. To reformat with something so minor , and we can clean would really be a shame
  • 0

Advertisements


#11
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I format and installed a new XP,but now i got a new problem,im using a Abit kr7a-raid motherboard,and i cant seem to get one of my Raid controllers up and running,i did DL the via4in1 hyperion,it got one of my raid controllers to work,but still i cant get the last to work,i did DL the highpoint hpt372+ hpt374 driver,but when i try and manual update the driver,by pointing it to where i got the hpt374 driver,it wont update it.

sorry,know its the wrong forum,did not know where else to post it,so i gave it a chance by posting it here ;-)

Mvh. Jens Peter Funk (denmark)
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I could try to help you with that but there are much more competent people with this. Try the Xp forum or the hardware forum :whistling:
  • 0

#13
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
hmm tryed to make a post under hardware,but no respond,u sure u dont have any ideas?
so fare i tryed the highpoint hpt374-win-3.06-0919 and the via Via_hyperionpro_511a drivers,the VIA got one of my raids working,but the highpoint,i cant seem to get my XP pro 2 installe from the files,i try and manual install the hpt374,but it wont accept it :whistling:
im using a Abit kr7a-raid motherboard.

MVH Jens Peter Funk

Edited by Funk606, 06 April 2007 - 07:14 PM.

  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi funk

I'll Pm someone to look at it.
  • 0

#15
Funk606

Funk606

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks loop! will check forum when i get back home.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP