Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo [RESOLVED]


  • This topic is locked This topic is locked

#1
P.Miroslaw

P.Miroslaw

    Member

  • Member
  • PipPip
  • 45 posts
I was chatting with a buddy on msn when I saw some random texts. I wasn't sure what they were and me being the curious person I am decided to click on the link :)

Now I have all these trojans. I managed to remove some of them, but yet I still have problems.

Edit: I have tried the removal guides. Got nothing out of it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:04 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [683bd41e] rundll32.exe "C:\WINDOWS\system32\nsdcslkh.dll",b
O4 - HKLM\..\Run: [BM6b08e782] Rundll32.exe "C:\WINDOWS\system32\fbdiknwe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199583275859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\Software\..\Telephony: DomainName = myplnet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{46401588-CB34-42CD-9460-630DF58834E3}: NameServer = 192.168.66.101,192.168.66.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = myplnet.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 8922 bytes

Edited by P.Miroslaw, 26 April 2008 - 01:27 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello P.Miroslaw

Welcome to G2Go. :)
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Thanks for the welcome and thanks for helping me. Here you go, exactly what you asked for.

ComboFix 08-04-26.1 - piotr 2008-04-26 19:41:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2625 [GMT -4:00]
Running from: C:\Documents and Settings\piotr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\wgjipjhj.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 15:15 . 2008-04-26 15:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 11:21 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\VentSrv
2008-04-26 11:18 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-26 11:18 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-26 11:10 . 2008-04-26 15:43 <DIR> d-------- C:\Program Files\Lineage II Interlude
2008-04-26 11:10 . 2008-04-26 11:10 <DIR> d-------- C:\Documents and Settings\piotr\Application Data\InstallShield
2008-04-26 08:45 . 2008-04-26 12:34 2,535,612 ---hs---- C:\WINDOWS\system32\hklscdsn.ini
2008-04-26 08:36 . 2008-04-26 08:36 2,682,757 ---hs---- C:\WINDOWS\system32\fotljypg.ini
2008-04-25 15:10 . 2008-04-26 08:28 1,505,619 ---hs---- C:\WINDOWS\system32\kqtxghyb.ini
2008-04-24 15:09 . 2008-04-25 15:10 1,505,499 ---hs---- C:\WINDOWS\system32\ditntpbj.ini
2008-04-23 20:44 . 2008-04-23 20:44 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-22 23:18 . 2008-04-24 15:03 1,509,699 ---hs---- C:\WINDOWS\system32\ycpkpeew.ini
2008-04-22 19:29 . 2008-04-22 23:16 1,540,977 ---hs---- C:\WINDOWS\system32\uvhdewws.ini
2008-04-22 15:20 . 2008-04-22 19:20 1,540,857 ---hs---- C:\WINDOWS\system32\iyfnkwtd.ini
2008-04-21 15:13 . 2008-04-22 15:14 1,540,737 ---hs---- C:\WINDOWS\system32\mftnssqh.ini
2008-04-21 15:05 . 2008-04-21 15:05 1,540,617 ---hs---- C:\WINDOWS\system32\eyapbcop.ini
2008-04-20 20:23 . 2008-04-20 20:24 1,540,617 ---hs---- C:\WINDOWS\system32\gwjjhowx.ini
2008-04-19 17:57 . 2008-04-20 09:27 1,540,737 ---hs---- C:\WINDOWS\system32\oeosbtaf.ini
2008-04-19 16:52 . 2008-04-19 16:52 1,540,617 ---hs---- C:\WINDOWS\system32\abguxfjj.ini
2008-04-19 10:02 . 2008-04-26 11:09 <DIR> d-------- C:\Program Files\Lineage II
2008-04-18 18:46 . 2008-04-18 18:46 244 --ah----- C:\sqmnoopt00.sqm
2008-04-18 18:46 . 2008-04-18 18:46 232 --ah----- C:\sqmdata00.sqm
2008-04-17 16:01 . 2008-04-18 17:29 1,530,086 ---hs---- C:\WINDOWS\system32\ksugupbm.ini
2008-04-16 15:49 . 2008-04-17 16:00 1,530,053 ---hs---- C:\WINDOWS\system32\mubclbjo.ini
2008-04-15 21:08 . 2008-04-15 21:08 <DIR> d-------- C:\Program Files\TeamViewer3
2008-04-15 21:08 . 2008-04-15 21:10 <DIR> d-------- C:\Documents and Settings\piotr\Application Data\TeamViewer
2008-04-15 21:07 . 2008-04-15 21:07 <DIR> d-------- C:\Documents and Settings\piotr\temp
2008-04-15 15:50 . 2008-04-16 14:52 1,605,053 ---hs---- C:\WINDOWS\system32\bnqafeby.ini
2008-04-14 19:58 . 2008-04-14 19:58 <DIR> d-------- C:\Program Files\Opera
2008-04-14 15:55 . 2008-04-15 14:59 2,454 ---hs---- C:\WINDOWS\system32\jawhlsrn.ini
2008-04-13 00:15 . 2008-04-14 15:44 2,214 ---hs---- C:\WINDOWS\system32\mwfcsraf.ini
2008-04-11 16:22 . 2008-04-13 00:10 1,974 ---hs---- C:\WINDOWS\system32\hojhbxin.ini
2008-04-10 16:23 . 2008-04-11 15:02 1,674 ---hs---- C:\WINDOWS\system32\pecvfwki.ini
2008-04-09 16:20 . 2008-04-10 16:21 1,494 ---hs---- C:\WINDOWS\system32\qxhcmdlu.ini
2008-04-08 16:12 . 2008-04-09 16:13 1,314 ---hs---- C:\WINDOWS\system32\uylyjdap.ini
2008-04-07 16:13 . 2008-04-08 14:54 1,074 ---hs---- C:\WINDOWS\system32\exeqwkas.ini
2008-04-06 16:11 . 2008-04-07 16:12 954 ---hs---- C:\WINDOWS\system32\vpqrirsf.ini
2008-04-05 16:10 . 2008-04-06 16:10 774 ---hs---- C:\WINDOWS\system32\lglrdvgk.ini
2008-04-04 16:09 . 2008-04-05 16:09 414 ---hs---- C:\WINDOWS\system32\xbefvsdb.ini
2008-04-03 16:11 . 2008-04-04 15:00 1,014 ---hs---- C:\WINDOWS\system32\wgutslnj.ini
2008-04-02 15:12 . 2008-04-03 16:06 834 ---hs---- C:\WINDOWS\system32\nhomamtx.ini
2008-04-01 15:09 . 2008-04-02 15:09 714 ---hs---- C:\WINDOWS\system32\pyoaijke.ini
2008-03-31 22:08 . 2008-03-31 22:08 <DIR> d-------- C:\Documents and Settings\sysop
2008-03-31 22:08 . 2008-04-26 19:47 1,024 --ah----- C:\Documents and Settings\sysop\ntuser.dat.LOG
2008-03-31 14:58 . 2008-04-01 15:06 594 ---hs---- C:\WINDOWS\system32\ktofrnch.ini
2008-03-30 15:02 . 2008-03-31 14:50 414 ---hs---- C:\WINDOWS\system32\hkmqkicc.ini
2008-03-29 23:02 . 2008-03-29 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-29 23:01 . 2008-04-26 15:08 <DIR> d-------- C:\Documents and Settings\piotr\.housecall6.6
2008-03-29 20:47 . 2008-03-29 20:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-29 14:55 . 2008-03-29 20:14 894 ---hs---- C:\WINDOWS\system32\sfwfdbtg.ini
2008-03-29 02:19 . 2008-03-29 02:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 00:35 . 2008-03-29 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-28 15:39 . 2008-03-28 15:39 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-28 15:39 . 2008-03-28 15:39 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-03-28 08:24 . 2008-03-29 14:55 714 ---hs---- C:\WINDOWS\system32\ngrmwysm.ini
2008-03-28 00:27 . 2008-03-28 00:30 207 --a------ C:\WINDOWS\wininit.ini
2008-03-28 00:05 . 2008-03-28 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:09 . 2008-03-28 00:30 1,583,681 --ahs---- C:\WINDOWS\system32\njchhjny.ini
2008-03-27 11:09 . 2008-04-26 11:38 109,116 --a------ C:\WINDOWS\BM6b08e782.xml
2008-03-26 11:12 . 2008-03-26 11:12 38,912 --a------ C:\WINDOWS\system32\awttrqp.dll.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 23:45 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-26 23:40 --------- d-----w C:\Documents and Settings\piotr\Application Data\Skype
2008-04-26 21:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 21:01 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-26 20:03 --------- d-----w C:\Documents and Settings\piotr\Application Data\skypePM
2008-04-26 15:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 15:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 04:34 --------- d-----w C:\Documents and Settings\piotr\Application Data\LimeWire
2008-04-12 02:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-03 20:12 --------- d-----w C:\Program Files\Java
2008-03-21 20:55 --------- d-----w C:\Documents and Settings\piotr\Application Data\Winamp
2008-03-19 20:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-18 23:44 --------- d-----w C:\Program Files\Winamp
2008-03-18 23:22 --------- d-----w C:\Program Files\Incomplete
2008-03-18 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-18 20:48 --------- d-----w C:\Program Files\Fraps
2008-03-18 20:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-18 20:30 --------- d-----w C:\Documents and Settings\piotr\Application Data\Winamp(2)
2008-03-17 22:42 --------- d-----w C:\Documents and Settings\piotr\Application Data\MahJong Suite
2008-03-15 20:11 --------- d-----w C:\Documents and Settings\piotr\Application Data\Ahead
2008-03-13 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 22:59 --------- d-----w C:\Documents and Settings\piotr\Application Data\U3
2008-03-08 04:32 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-08 04:28 --------- d-----w C:\Program Files\LimeWire
2008-03-06 22:47 --------- d-----w C:\Program Files\QuickTime
2008-03-01 03:39 --------- d-----w C:\Documents and Settings\piotr\Application Data\mIRC
2008-03-01 03:34 --------- d-----w C:\Program Files\mIRC
2008-02-26 20:16 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-28 21:01 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-01-13 23:01 22,328 ----a-w C:\Documents and Settings\piotr\Application Data\PnkBstrK.sys
2008-01-06 02:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EB5CEE9-8570-4FFE-90EA-0CB887DAA4A3}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db85023b-77b7-41c2-badb-5dbcd9418812}]
C:\WINDOWS\system32\hxknapxu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 02:00 16050176 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows live Messenger"="msn.com" []
"683bd41e"="C:\WINDOWS\system32\nsdcslkh.dll" [ ]
"BM6b08e782"="C:\WINDOWS\system32\fbdiknwe.dll" [ ]

C:\Documents and Settings\piotr\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-05 21:39:25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 14:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 npkycryp;npkycryp;C:\Program Files\Lineage II\system\npkycryp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c8d4a74-ed56-11dc-89c4-001c1060d1ba}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 19:46:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-04-26 19:51:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 23:51:19

Pre-Run: 320,155,541,504 bytes free
Post-Run: 320,529,371,136 bytes free

207 --- E O F --- 2008-03-29 06:47:16

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {5EB5CEE9-8570-4FFE-90EA-0CB887DAA4A3} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {2188149d-cbd5-bdab-2c14-7b77b32058bd} - {db85023b-77b7-41c2-badb-5dbcd9418812} - C:\WINDOWS\system32\hxknapxu.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [683bd41e] rundll32.exe "C:\WINDOWS\system32\nsdcslkh.dll",b
O4 - HKLM\..\Run: [BM6b08e782] Rundll32.exe "C:\WINDOWS\system32\fbdiknwe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199583275859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\Software\..\Telephony: DomainName = myplnet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{46401588-CB34-42CD-9460-630DF58834E3}: NameServer = 192.168.66.101,192.168.66.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = myplnet.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 9183 bytes

Edited by P.Miroslaw, 26 April 2008 - 05:53 PM.

  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

#5
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Here you go. Did exactly what you have asked for.




WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/Trojan-Vundo-t196231.html

Collect::
C:\WINDOWS\system32\hklscdsn.ini
C:\WINDOWS\system32\fotljypg.ini
C:\WINDOWS\system32\kqtxghyb.ini
C:\WINDOWS\system32\ditntpbj.ini
C:\WINDOWS\system32\ycpkpeew.ini
C:\WINDOWS\system32\uvhdewws.ini
C:\WINDOWS\system32\iyfnkwtd.ini
C:\WINDOWS\system32\mftnssqh.ini
C:\WINDOWS\system32\eyapbcop.ini
C:\WINDOWS\system32\gwjjhowx.ini
C:\WINDOWS\system32\oeosbtaf.ini
C:\WINDOWS\system32\abguxfjj.ini
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\WINDOWS\system32\ksugupbm.ini
C:\WINDOWS\system32\mubclbjo.ini
C:\WINDOWS\system32\bnqafeby.ini
C:\WINDOWS\system32\jawhlsrn.ini
C:\WINDOWS\system32\mwfcsraf.ini
C:\WINDOWS\system32\hojhbxin.ini
C:\WINDOWS\system32\pecvfwki.ini
C:\WINDOWS\system32\qxhcmdlu.ini
C:\WINDOWS\system32\uylyjdap.ini
C:\WINDOWS\system32\exeqwkas.ini
C:\WINDOWS\system32\vpqrirsf.ini
C:\WINDOWS\system32\lglrdvgk.ini
C:\WINDOWS\system32\xbefvsdb.ini
C:\WINDOWS\system32\wgutslnj.ini
C:\WINDOWS\system32\nhomamtx.ini
C:\WINDOWS\system32\pyoaijke.ini
C:\WINDOWS\system32\ktofrnch.ini
C:\WINDOWS\system32\hkmqkicc.ini
C:\WINDOWS\system32\sfwfdbtg.ini
C:\WINDOWS\system32\ngrmwysm.ini
C:\WINDOWS\system32\njchhjny.ini
File::
C:\WINDOWS\BM6b08e782.xml
C:\WINDOWS\system32\awttrqp.dll.vir
Folder::
C:\Program Files\Viewpoint\Common\ViewpointService.exe
Driver::
Viewpoint Manager Service
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EB5CEE9-8570-4FFE-90EA-0CB887DAA4A3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db85023b-77b7-41c2-badb-5dbcd9418812}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows live Messenger"=-
"683bd41e"=-
"BM6b08e782"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#7
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Here is the new combofix log and the hijackthis log. I was also told to tell you that I have submitted the file.


ComboFix 08-04-26.1 - piotr 2008-04-26 20:36:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2660 [GMT -4:00]
Running from: C:\Documents and Settings\piotr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\piotr\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM6b08e782.xml
C:\WINDOWS\system32\awttrqp.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint\Common\ViewpointService.exe\
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\BM6b08e782.xml
C:\WINDOWS\system32\abguxfjj.ini
C:\WINDOWS\system32\awttrqp.dll.vir
C:\WINDOWS\system32\bnqafeby.ini
C:\WINDOWS\system32\ditntpbj.ini
C:\WINDOWS\system32\exeqwkas.ini
C:\WINDOWS\system32\eyapbcop.ini
C:\WINDOWS\system32\fotljypg.ini
C:\WINDOWS\system32\gwjjhowx.ini
C:\WINDOWS\system32\hklscdsn.ini
C:\WINDOWS\system32\hkmqkicc.ini
C:\WINDOWS\system32\hojhbxin.ini
C:\WINDOWS\system32\iyfnkwtd.ini
C:\WINDOWS\system32\jawhlsrn.ini
C:\WINDOWS\system32\kqtxghyb.ini
C:\WINDOWS\system32\ksugupbm.ini
C:\WINDOWS\system32\ktofrnch.ini
C:\WINDOWS\system32\lglrdvgk.ini
C:\WINDOWS\system32\mftnssqh.ini
C:\WINDOWS\system32\mubclbjo.ini
C:\WINDOWS\system32\mwfcsraf.ini
C:\WINDOWS\system32\ngrmwysm.ini
C:\WINDOWS\system32\nhomamtx.ini
C:\WINDOWS\system32\njchhjny.ini
C:\WINDOWS\system32\oeosbtaf.ini
C:\WINDOWS\system32\pecvfwki.ini
C:\WINDOWS\system32\pyoaijke.ini
C:\WINDOWS\system32\qxhcmdlu.ini
C:\WINDOWS\system32\sfwfdbtg.ini
C:\WINDOWS\system32\uvhdewws.ini
C:\WINDOWS\system32\uylyjdap.ini
C:\WINDOWS\system32\vpqrirsf.ini
C:\WINDOWS\system32\wgutslnj.ini
C:\WINDOWS\system32\xbefvsdb.ini
C:\WINDOWS\system32\ycpkpeew.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 15:15 . 2008-04-26 15:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 11:21 . 2008-04-26 20:39 <DIR> d-------- C:\Program Files\VentSrv
2008-04-26 11:18 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-26 11:18 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-26 11:10 . 2008-04-26 15:43 <DIR> d-------- C:\Program Files\Lineage II Interlude
2008-04-26 11:10 . 2008-04-26 11:10 <DIR> d-------- C:\Documents and Settings\piotr\Application Data\InstallShield
2008-04-23 20:44 . 2008-04-23 20:44 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-19 10:02 . 2008-04-26 11:09 <DIR> d-------- C:\Program Files\Lineage II
2008-04-15 21:08 . 2008-04-15 21:08 <DIR> d-------- C:\Program Files\TeamViewer3
2008-04-15 21:08 . 2008-04-15 21:10 <DIR> d-------- C:\Documents and Settings\piotr\Application Data\TeamViewer
2008-04-15 21:07 . 2008-04-15 21:07 <DIR> d-------- C:\Documents and Settings\piotr\temp
2008-04-14 19:58 . 2008-04-14 19:58 <DIR> d-------- C:\Program Files\Opera
2008-03-31 22:08 . 2008-03-31 22:08 <DIR> d-------- C:\Documents and Settings\sysop
2008-03-31 22:08 . 2008-04-26 19:50 1,024 --ah----- C:\Documents and Settings\sysop\ntuser.dat.LOG
2008-03-29 23:02 . 2008-03-29 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-29 23:01 . 2008-04-26 15:08 <DIR> d-------- C:\Documents and Settings\piotr\.housecall6.6
2008-03-29 20:47 . 2008-03-29 20:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-29 02:19 . 2008-03-29 02:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 00:35 . 2008-03-29 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-28 15:39 . 2008-03-28 15:39 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-28 15:39 . 2008-03-28 15:39 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-03-28 00:27 . 2008-03-28 00:30 207 --a------ C:\WINDOWS\wininit.ini
2008-03-28 00:05 . 2008-03-28 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 00:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-27 00:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 00:04 --------- d-----w C:\Documents and Settings\piotr\Application Data\LimeWire
2008-04-26 23:52 --------- d-----w C:\Documents and Settings\piotr\Application Data\Skype
2008-04-26 23:48 --------- d-----w C:\Documents and Settings\piotr\Application Data\skypePM
2008-04-26 21:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 15:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 02:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-03 20:12 --------- d-----w C:\Program Files\Java
2008-03-21 20:55 --------- d-----w C:\Documents and Settings\piotr\Application Data\Winamp
2008-03-19 20:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-18 23:44 --------- d-----w C:\Program Files\Winamp
2008-03-18 23:22 --------- d-----w C:\Program Files\Incomplete
2008-03-18 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-18 20:48 --------- d-----w C:\Program Files\Fraps
2008-03-18 20:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-18 20:30 --------- d-----w C:\Documents and Settings\piotr\Application Data\Winamp(2)
2008-03-17 22:42 --------- d-----w C:\Documents and Settings\piotr\Application Data\MahJong Suite
2008-03-15 20:11 --------- d-----w C:\Documents and Settings\piotr\Application Data\Ahead
2008-03-13 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 22:59 --------- d-----w C:\Documents and Settings\piotr\Application Data\U3
2008-03-08 04:32 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-08 04:28 --------- d-----w C:\Program Files\LimeWire
2008-03-06 22:47 --------- d-----w C:\Program Files\QuickTime
2008-03-01 03:39 --------- d-----w C:\Documents and Settings\piotr\Application Data\mIRC
2008-03-01 03:34 --------- d-----w C:\Program Files\mIRC
2008-01-28 21:01 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-01-13 23:01 22,328 ----a-w C:\Documents and Settings\piotr\Application Data\PnkBstrK.sys
2008-01-06 02:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_19.51.07.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 23:45:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 00:39:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-26 19:16:26 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-26 23:49:40 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-26 19:16:26 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-26 23:49:40 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 02:00 16050176 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\piotr\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-05 21:39:25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 14:46]
S3 npkycryp;npkycryp;C:\Program Files\Lineage II\system\npkycryp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c8d4a74-ed56-11dc-89c4-001c1060d1ba}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 20:39:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-26 20:44:54 - machine was rebooted [piotr]
ComboFix-quarantined-files.txt 2008-04-27 00:44:51

Pre-Run: 320,381,673,472 bytes free
Post-Run: 320,408,039,424 bytes free

206 --- E O F --- 2008-03-29 06:47:16






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199583275859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\Software\..\Telephony: DomainName = myplnet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{46401588-CB34-42CD-9460-630DF58834E3}: NameServer = 192.168.66.101,192.168.66.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = myplnet.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 8436 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#9
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I have done exactly as you said. I also provided a new hijackthis log.


GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-26 22:46:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 8AB84AF0 ZwAlertResumeThread
SSDT 8AA922F8 ZwAlertThread
SSDT 8AB5BC60 ZwAllocateVirtualMemory
SSDT 8AB6BAE8 ZwConnectPort
SSDT 8AC97830 ZwCreateMutant
SSDT 8AB20078 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB7032350]
SSDT 8AB090B8 ZwFreeVirtualMemory
SSDT 8AC5BD10 ZwImpersonateAnonymousToken
SSDT 8ACA11C0 ZwImpersonateThread
SSDT 8AAC85F0 ZwMapViewOfSection
SSDT 8AC964C8 ZwOpenEvent
SSDT 8AB08DC0 ZwOpenProcessToken
SSDT 8AB093E0 ZwOpenThreadToken
SSDT 8AF9BEB0 ZwQueryValueKey
SSDT 8AB07DA0 ZwResumeThread
SSDT 8AB094B8 ZwSetContextThread
SSDT 8AB09260 ZwSetInformationProcess
SSDT 8AB09650 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB7032580]
SSDT 8AAEF378 ZwSuspendProcess
SSDT 8AB09970 ZwSuspendThread
SSDT 8AB08C38 ZwTerminateProcess
SSDT 8AB097E8 ZwTerminateThread
SSDT 8AB090F0 ZwUnmapViewOfSection
SSDT 8AB6D2C0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[136] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 32604F4E C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2588] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Start Menu\Programs\EA SPORTS\EA\xa0SPORTS\x2122 NBA\xa0LIVE\x00a008\

---- EOF - GMER 1.0.14 ----




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199583275859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\Software\..\Telephony: DomainName = myplnet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{46401588-CB34-42CD-9460-630DF58834E3}: NameServer = 192.168.66.101,192.168.66.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myplnet.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = myplnet.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 8415 bytes
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
========================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

Advertisements


#11
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Kaspersky is currently scanning as I am typing this. Would you like an updated hijackthis log as well?



Edit: Kaspersky Scan Progress- 38%

Edited by P.Miroslaw, 26 April 2008 - 09:17 PM.

  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts

Would you like an updated hijackthis log as well?

Sure :)
  • 0

#13
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Now one thing which is confusing me, will Kaspersky remove any infected files? Or will it just state which ones are infected?


Edit: Kaspersky Scan Progress- 43%
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It only lets me know what is left and it is only a scanner not a remover.
  • 0

#15
P.Miroslaw

P.Miroslaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Alright thanks. I'll post all the information when the scan finishes. It has detected 4 virus and 12 infected objects so far.



Edit: Kaspersky Scan Progress- 100%

Edited by P.Miroslaw, 26 April 2008 - 09:55 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP