Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJAN.VUNDO.B (C:\windows\repair\catip.dll)


  • This topic is locked This topic is locked

#61
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, now we're going to try this to get rid of Vundo, then afterwards we'll run a program to clean your registry.

HUGE thanks to noahdfear for writing this up for you!

For this to even work, You WILL NEED a genuine XP CD. A recovery CD like you get with many OEM machines will not work. If you only have the recovery disk, do you know of anyone who has the "real" XP CD who would let you borrow it?

First you need to create a dummy file.
Open the C:\windows\repair directory. Right click new>text, name it catip.old
Open the cd tray, slip in the XP disk and reboot.
The machine will need to have boot from cd first enabled in the BIOS. Most are already.
Upon boot up, watch the screen for a 'Press any key to boot from cd' and press any key
Setup will transfer files and stop at an options screen. Choose R for recovery console.
You will be prompted for the Administrator password. If none was set, press enter.
You will be offered which installation to start, eg;
1. C:\Windows
Press 1 and enter.
You will arrive at a C:\Windows prompt.
Type cd c:\windows\repair and hit enter.
Now to remove any attributes from and delete the file, then rename the dummy. Type and hit enter after each line.

attrib -r catip.dll
attrib -h catip.dll
attrib -s catip.dll
del catip.dll
rename catip.old catip.dll
exit

Important Note Make sure to include ALL spaces between words exactly as indicated above.

The machine will restart. Either take the cd out right away or do not touch any keys until you get to the Welcome screen so that it skips the boot from cd option.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\catip.dll

O20 - Winlogon Notify: catip - C:\WINDOWS\repair\catip.dll

Close HijackThis.

Delete the dummy file you made earlier, reboot and post a new HiJackThis log.

Edited by bananafanafo, 27 May 2005 - 09:09 AM.

  • 0

Advertisements


#62
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I think you may have eliminated Vundo.B

Logfile of HijackThis v1.99.1
Scan saved at 5:28:34 PM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Harold\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hope to hear from you soon.
  • 0

#63
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
OMG I love noahdfear! He came to the rescue!

Now, I need you to double-click on the new "vundo.reg" and let it merge with the registry.

Then we will run a registry cleaning tool to rid of all of the invalid items found by MWav!

Oh I'm so excited!

Edited by bananafanafo, 27 May 2005 - 03:36 PM.

  • 0

#64
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
This is awesome. You are Great! I'm so thankful for your persistence. noahdfear, thanks for your help too! You guys are good. It will be great to open the computer and not have to deal with Norton's virus alert window. Thanks Again, I'll wait to see what I need to do next.
  • 0

#65
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
The two of you did all the hard part. Great work! :tazz:

Glad I could help. ;)
  • 0

#66
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, run the MWav again. *Make sure to reboot between each use of the program.

Post a new HiJackThis log along with the results from MWav!

Edited by bananafanafo, 28 May 2005 - 02:18 AM.

  • 0

#67
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oops don't know how I posted it twice :tazz:

;)

Edited by bananafanafo, 28 May 2005 - 02:17 AM.

  • 0

#68
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
For some reason there is 21 items that I can't seem to delete, they show up everytime I reboot. I ran the MWAV anyway and here are the results:

Sat May 28 10:53:07 2005 => ***** Scanning complete. *****

Sat May 28 10:53:07 2005 => Total Virus(es) Found: 12
Sat May 28 10:53:07 2005 => Total Errors: 304

Virus Log

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\dll2phase.dll". Action Taken: No Action Taken
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll". Action Taken: No Action Taken
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\rfx2pdef.txt". Action Taken: No Action Taken
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\tgctlcm.dll". Action Taken: No Action Taken
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005916.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005920.exe tagged as "not-a-virus:AdWare.Whistle.a". Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005921.exe infected by "Trojan-Downloader.Win32.Swizzor.cm" Virus! Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005922.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus! Action Taken: No Action Taken
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005916.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005920.exe tagged as "not-a-virus:AdWare.Whistle.a". Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005921.exe infected by "Trojan-Downloader.Win32.Swizzor.cm" Virus! Action Taken: No Action Taken
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0005922.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus! Action Taken: No Action Taken
  • 0

#69
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
OK, after your system is clean we will DEFINITELY clear your restore points and that will take care of a lot of the items found by MWav. But we will only do this after your system is fully cleaned.

The invalid items found by MWav we will get rid of with a reg. Not sure why RegSeeker couldn't get them.

Will you post another HiJackThis log for me?
  • 0

#70
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK , HEre is a fresh log.

Logfile of HijackThis v1.99.1
Scan saved at 5:34:04 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Harold\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again for all the help, I really do apprecaite it.
  • 0

Advertisements


#71
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome!

Ok, those are just orphaned reg entries found by MWav and they really won't hurt anything, but go ahead and do this for me:

Download CCleaner
Install CCleaner
Double-click the CCleaner icon on your desktop.
Click the Windows tab and make sure NOTHING is checked.
Click the Application tab and make sure NOTHING is checked.
Click the Issues tab and make sure everything under "Registry Integrity" IS checked.
Click "Scan for issues"
Make sure everything in that window has a checkmark next to it, then click "Fix Selected Issues"

There is no need to run MWav again after this :tazz:

Then one other suggestion is to update your Sun Java. You have an older more vulnerable version. Go to Start > Control Panel then double-click on the "Java" icon (coffee cup), then there will be an update button in the java control panel, just click it to update your java, then reboot.

And let me know if you're having any other problems!

Edited by bananafanafo, 29 May 2005 - 08:53 PM.

  • 0

#72
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK, everything appears to work great and I'm very satisfied. No more Trojan.Vundo.B (catip.dll), my computer is running great and we even cleaned up stuff that I was unaware of. I think we can show my problems resolved. Thanks again.
  • 0

#73
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well that is awesome news!! ;) So, now here are my recommendations for keeping your system clean:

Congratulations your log is clean! Great job on the clean up :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • 0

#74
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh yeah! One last thing you'll definitely want to do!

Clear system restore points to give your system a fresh start on system restore. You definitely don't want to ever have to restore back to Vundo! :tazz:

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Promise, that's it ;)
  • 0

#75
HEH

HEH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I have cleared/reset the system restore points. Everything is working great, the last couple of scans have turned up nothing, but tracking cookies. Easy stuff to delete--makes me happy. I enjoyed working with you. Keep up the good work and have fun doing it. HEH
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP