Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Vundo HELP ME FFS! [RESOLVED]


  • This topic is locked This topic is locked

#16
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
HiJackThis log:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28, on 2008-07-01
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BM63ad6d75] Rundll32.exe "C:\Users\Lasse\AppData\Local\Temp\jratsamm.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\xxyvUlLC.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplu...lug/beta/SP.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager-kontrol) - http://dlm.tools.aka...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatisk LiveUpdate-planlægning - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\3dsmax2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9557 bytes









ComboFix log:



ComboFix 08-06-20.4 - Lasse 2008-07-01 21:41:48.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1030.18.1138 [GMT 2:00]
Running from: C:\Users\Lasse\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\system32\aphhljdi.ini
C:\Windows\system32\awtuutut.dll
C:\Windows\System32\bccccfii.ini
C:\Windows\System32\bccccfii.ini2
C:\Windows\system32\cbxvWqNH.dll
C:\Windows\System32\CLlUvyxx.ini
C:\Windows\System32\CLlUvyxx.ini2
C:\Windows\system32\evcdvxpe.ini
C:\Windows\system32\[email protected]@@k.dll
C:\Windows\System32\HNqWvxbc.ini
C:\Windows\System32\HNqWvxbc.ini2
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\puknlwst.ini
C:\Windows\system32\pwsmnnqn.ini
C:\Windows\System32\QpAyxyay.ini
C:\Windows\System32\QpAyxyay.ini2
C:\Windows\system32\sqexgmhl.ini
C:\Windows\system32\tiyojfda.ini
C:\Windows\System32\tutuutwa.ini
C:\Windows\System32\tutuutwa.ini2
C:\Windows\system32\ulgrskov.ini
C:\Windows\system32\uoymjlmn.ini
C:\Windows\system32\wxymqqwy.ini
C:\Windows\system32\xxyvUlLC.dll
C:\Windows\system32\yayxyApQ.dll
C:\Windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2099-11-11 13:19 . 2007-08-27 11:53 107,864 --a------ C:\Windows\System32\tsccvid.dll
2008-07-01 18:24 . 2008-07-01 18:24 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-07-01 18:24 . 2008-07-01 18:24 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-07-01 16:08 . 2008-07-01 16:08 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-06-30 18:36 . 2008-06-30 18:36 <DIR> d-------- C:\_OTMoveIt
2008-06-30 13:00 . 2008-06-30 13:00 <DIR> d-------- C:\Deckard
2008-06-27 12:58 . 2008-06-27 12:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 20:32 . 2007-03-23 05:05 29,272 -ra------ C:\Windows\System32\AdobePDF.dll
2008-06-24 16:29 . 2008-06-24 16:29 524,288 --ahs---- C:\ntuser.dat{b79c8056-41e8-11dd-8fb2-001a92304991}.TMContainer00000000000000000002.regtrans-ms
2008-06-24 16:29 . 2008-06-24 16:29 524,288 --ahs---- C:\ntuser.dat{b79c8056-41e8-11dd-8fb2-001a92304991}.TMContainer00000000000000000001.regtrans-ms
2008-06-24 16:29 . 2008-06-24 16:29 524,288 --ahs---- C:\ntuser.dat{b79c804a-41e8-11dd-8fb2-001a92304991}.TMContainer00000000000000000002.regtrans-ms
2008-06-24 16:29 . 2008-06-24 16:29 524,288 --ahs---- C:\ntuser.dat{b79c804a-41e8-11dd-8fb2-001a92304991}.TMContainer00000000000000000001.regtrans-ms
2008-06-24 16:29 . 2008-06-27 11:43 262,144 --a------ C:\ntuser.dat
2008-06-24 16:29 . 2008-06-24 16:29 65,536 --ahs---- C:\ntuser.dat{b79c8056-41e8-11dd-8fb2-001a92304991}.TM.blf
2008-06-24 16:29 . 2008-06-24 16:29 65,536 --ahs---- C:\ntuser.dat{b79c804a-41e8-11dd-8fb2-001a92304991}.TM.blf
2008-06-24 16:29 . 2008-06-27 11:43 5,120 --ah----- C:\ntuser.dat.LOG1
2008-06-24 16:29 . 2008-06-24 16:29 0 --ah----- C:\ntuser.dat.LOG2
2008-06-22 21:48 . 2008-06-27 10:58 <DIR> d-------- C:\VundoFix Backups
2008-06-22 21:00 . 2008-06-22 21:00 <DIR> d-------- C:\Users\Lasse\AppData\Roaming\DelinvFile
2008-06-22 21:00 . 2008-06-22 21:00 <DIR> d-------- C:\Program Files\PurgeIE
2008-06-21 20:13 . 2008-06-25 20:51 <DIR> d-------- C:\Joke
2008-06-21 13:59 . 2008-06-21 13:59 43,520 --a------ C:\Windows\System32\CmdLineExt03.dll
2008-06-19 14:25 . 2008-06-19 14:25 <DIR> d-------- C:\Users\Lasse\AppData\Roaming\com.adobe.example.LotR-player
2008-06-18 15:32 . 2008-06-18 15:33 <DIR> d-------- C:\Custom Icons
2008-06-15 15:43 . 2008-06-15 15:43 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-06-15 15:43 . 2003-07-19 17:17 5,174 --a------ C:\Windows\System32\nppt9x.vxd
2008-06-15 15:43 . 2005-01-03 08:43 4,682 --a------ C:\Windows\System32\npptNT2.sys
2008-06-15 15:18 . 2008-06-15 15:18 <DIR> d-------- C:\AeriaGames
2008-06-13 22:49 . 2008-06-13 22:49 <DIR> d-------- C:\Program Files\DivX
2008-06-13 21:31 . 2008-06-13 21:31 <DIR> d-------- C:\Program Files\vghd
2008-06-12 19:06 . 2008-06-12 19:16 <DIR> d-------- C:\Program Files\Windows Live
2008-06-11 22:49 . 2008-06-11 22:49 <DIR> d-------- C:\Program Files\FMOD SoundSystem
2008-06-11 16:56 . 2008-06-11 16:56 <DIR> d--h----- C:\TMP_inet
2008-06-10 23:18 . 2008-06-10 23:18 <DIR> d-------- C:\Windows\.jagex_cache_32
2008-06-10 20:40 . 2008-06-10 21:00 <DIR> d-------- C:\Visual Basic 6
2008-06-10 14:16 . 2008-06-22 21:14 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-10 14:16 . 2008-06-11 13:54 1,409 --a------ C:\Windows\QTFont.for
2008-06-09 22:48 . 2008-03-08 02:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-09 22:48 . 2008-03-08 06:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-06-06 16:39 . 2008-06-06 16:39 <DIR> d-------- C:\Program Files\PerformanceTest
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Videos
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Searches
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Saved Games
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Pictures
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Music
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Links
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Downloads
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Documents
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> dr------- C:\Users\Administrator\Contacts
2008-06-01 17:39 . 2006-11-02 14:37 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Media Center Programs
2008-06-01 17:39 . 2008-02-08 23:12 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Apple Computer
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> d--h----- C:\Users\Administrator\AppData
2008-06-01 17:39 . 2008-06-01 17:39 <DIR> d-------- C:\Users\Administrator
2008-06-01 14:40 . 2008-06-24 20:53 <DIR> d-------- C:\Program Files\3dsmax2009
2008-06-01 14:19 . 2008-06-25 18:02 <DIR> d-------- C:\Cracks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 19:38 --------- d-----w C:\ProgramData\Symantec
2008-07-01 13:02 --------- d---a-w C:\ProgramData\TEMP
2008-06-28 05:52 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-06-26 20:27 --------- d-----w C:\Users\Lasse\AppData\Roaming\uTorrent
2008-06-25 12:58 --------- d-----w C:\Users\Lasse\AppData\Roaming\Winff
2008-06-22 08:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-21 21:19 --------- d-----w C:\Program Files\Cheat Engine
2008-06-15 13:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 11:15 --------- d-----w C:\Program Files\Eltima Software
2008-06-14 12:41 --------- d-----w C:\Program Files\Warcraft III
2008-06-12 17:02 --------- d-----w C:\ProgramData\WLInstaller
2008-06-10 12:10 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 18:47 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-09 18:47 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-09 18:47 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-09 18:47 --------- d-----w C:\Program Files\Symantec
2008-06-09 18:47 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-04 16:44 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-01 12:46 --------- d-----w C:\Program Files\Autodesk
2008-05-17 14:52 --------- d-----w C:\Program Files\GameSpy
2008-05-17 14:51 22,328 ----a-w C:\Users\Lasse\AppData\Roaming\PnkBstrK.sys
2008-05-17 14:48 --------- d-----w C:\ProgramData\Media Center Programs
2008-05-12 20:55 --------- d-----w C:\Program Files\Macromedia
2008-05-09 17:20 --------- d-----w C:\ProgramData\ALM
2008-05-08 16:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 12:51 --------- d-----w C:\Users\Lasse\AppData\Roaming\com.adobe.example.Crysis-Test
2008-05-04 12:00 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-05-03 11:01 2,829 ----a-w C:\Windows\War3Unin.pif
2008-05-03 11:01 139,264 ----a-w C:\Windows\War3Unin.exe
2008-05-01 19:14 --------- d-----w C:\Users\Lasse\AppData\Roaming\com.adobe.example.Keygen
2008-05-01 14:04 --------- d-----w C:\Users\Lasse\AppData\Roaming\com.adobe.example.Untitled-4-Scene-1
2008-04-21 17:54 2,560 ----a-w C:\Windows\_MSRSTRT.EXE
2008-04-06 10:25 94,208 ----a-w C:\Windows\ScUnin.exe
2007-08-31 13:43 174 --sha-w C:\Program Files\desktop.ini
2007-12-31 19:55 80 --sha-r C:\Windows\System32\AA76078432.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 23:50 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 14:37 4186112 C:\Windows\RtHDVCpl.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 06:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 06:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 06:28 81920]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 11:45 222208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\609e5ee9]
C:\Users\Lasse\AppData\Local\Temp\oxsniqwh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM63ad6d75]
C:\Users\Lasse\AppData\Local\Temp\jratsamm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
C:\Windows\system32\xxyvUlLC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Windows\system32\fcCrrspN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{408BE893-C5EE-41A7-81F9-FADAF585B0EB}"= UDP:C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\game.dat:The Battle for Middle-earth™ II
"{4C0E4ED4-E43C-48F9-97F7-48EF7C22ABF9}"= TCP:C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\game.dat:The Battle for Middle-earth™ II
"{EF839638-1E88-4D3C-B322-5623400B2618}"= UDP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"{6F6AE397-D98B-4729-8AB4-410A27567729}"= TCP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"{5D02082D-0EFB-43C2-AA88-39BA6E0FC8F1}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{7D07383E-D12E-4AA8-ABFD-A1B3F3A31FAF}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6A147DED-DDE4-497D-84F8-EB0898886B9B}"= UDP:C:\Program Files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{1268A6A8-2901-4897-B1CF-570227DB5955}"= TCP:C:\Program Files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{C0575BB4-DCA0-46D4-9169-51A154F9B9B3}"= UDP:C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat:The Battle for Middle-earth ™
"{EBCB3659-BB49-44D1-84AC-2BDD5A11996E}"= TCP:C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat:The Battle for Middle-earth ™
"{CD8BC978-42A3-4762-BDA8-3143F4256671}"= UDP:C:\Program Files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{00FB5EAA-33CD-4275-A85C-DDDAADCA6621}"= TCP:C:\Program Files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{7834171C-2C67-4806-901E-3FEDEA2A20C0}"= UDP:C:\Program Files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{012B51E2-DB2A-4D24-A5D3-39F09FE33A6B}"= TCP:C:\Program Files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{F34E09CA-2FBE-4AEF-94DF-639D43EDF7BA}"= UDP:C:\Program Files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{0406DD43-2720-4416-B131-04DCF5F44AB6}"= TCP:C:\Program Files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{2BC4FF1B-98F1-46EC-BF29-8ED02FC869CF}"= UDP:5000:AresChatServer
"{A9F88261-E050-4BDF-9E90-0CE084EAD28F}"= TCP:2799:Altova License Metering Port (UDP)
"{6CC247B1-D77F-4DF0-BA80-9C8D65AD314F}"= UDP:2799:Altova License Metering Port (TCP)
"{8536701C-9967-487C-8353-DEE3C21FAFB3}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{EFB861C6-0554-4E94-916C-5C453C6632D9}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3C35FA13-37AB-4563-9FC9-73B3AEB68011}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9BC2BCC1-C0AF-4286-9FB4-08F7000CAF66}"= UDP:C:\Electronic Arts\The Battle for Middle-earth ™ II\game.dat:The Battle for Middle-earth™ II
"{4708DA17-4475-43A9-AA8C-4B49923DD8B4}"= TCP:C:\Electronic Arts\The Battle for Middle-earth ™ II\game.dat:The Battle for Middle-earth™ II
"{59D22197-D2F3-4B88-9110-EDE182104656}"= UDP:C:\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"{43A888B7-299A-4D6D-8CE7-11273A457A4C}"= TCP:C:\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"{F9F86575-F148-4B59-A57C-1D0B69B7A1EB}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{7D0127F6-229F-4920-8A83-612A49C3636C}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{79A9A034-730A-462A-861C-48EF0C87A0D9}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9D981F88-320F-414C-B7BA-A329FA8806AF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{93564E9F-B958-4EBC-9F5B-06D115E4B388}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"{C685FE67-E130-4B19-B4A2-93F5FA2B9530}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"{FBBA2392-965F-4D87-A1DB-308A58EF0407}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{38DF25D9-B9A2-496A-A09B-61229F3282CE}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{3E662055-E0D8-4689-B8E2-B9D5D633D5B6}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{490E4944-313E-48AF-A8CB-72E34C9379B1}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{7F847435-F070-4F10-8170-7D771FD8C7A8}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{EA054671-003E-40DC-A2E4-DEEBA4DF6DCE}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{1132C691-EA79-447C-9E2B-A8EDA0A68869}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{D31127E9-60C0-435E-9A8C-9AED007F16DA}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{A16452B9-AB45-4E9D-91F1-394A883E4B10}"= UDP:C:\Program Files\3dsmax2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{9D0BF382-D777-47A8-80F3-EE69BF6800FE}"= TCP:C:\Program Files\3dsmax2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{BE15AC57-4BD8-41B7-B7DF-F218B3EB9F26}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-02-13 18:18]
R2 Automatisk LiveUpdate-planlægning;Automatisk LiveUpdate-planlægning;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-09-26 11:57]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"C:\Program Files\3dsmax2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-03-10 00:04]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 10:43]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 19:32:30 C:\Windows\Tasks\Norton Internet Security - Kør fuld systemskanning - Lasse.job"












NOTE: Kaspersky Scanning log is uploaded as a zip attachment because filesize was above 500 KB!

Attached Files


  • 0

Advertisements


#17
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
by the way, Norton seems to have detected a new infection called "Trojan.Metajuan"

Will This be fixed with the Trojan.Vundo aswell?
  • 0

#18
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Im happy to say that you already helped me big time!
Explorer no longer crashes!

Keep up the good help :)
  • 0

#19
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\system32\fcCrrspN.dll
C:\Program Files\IntelligentAdvisor\IntelligentAdvisor-2.dll
C:\Windows\System32\awtuutut.dll
C:\Windows\System32\cbxvWqNH.dll
C:\Windows\System32\xxyvUlLC.dll
C:\Windows\System32\yayxyApQ.dll

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\609e5ee9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM63ad6d75]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]

DirLook::
C:\Cracks


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#20
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Combofix log with CFScript.txt + HIJACKTHIS log(s) are in attachment!

Attached Files

  • Attached File  CF.zip   18.25KB   121 downloads
  • Attached File  HJT.zip   2.86KB   110 downloads

  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also tell me how your PC is running
  • 0

#22
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
My PC is working very well now! Explorer.exe no longer crashes, and Windows brings up the screen faster and i no longer get a "bar bug" (some of the parts in my start-bar are missing) and i do not get pop-ups right now. I believe that the threat(s) has been eliminated and i am error-free! :)
But you never know with malware :)

The MBAM log is uploaded as a ZIP attachment.

Attached Files


  • 0

#23
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#24
helpme768

helpme768

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thanks for all the help! my system is cleaned and i thank you 10.000 times! :)

I assume that the tread will be closed since that the problem is solved? :)

Edited by helpme768, 02 July 2008 - 06:44 AM.

  • 0

#25
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP