hey im experiensing some real popup problems with TR/Vundo.fnr.48 atleast thats what my avira antivir that problem regonizes sorry that i didnt use search in here but cant be online for too long since popups come like in every 2 secs Ive tried virus scan with, Avira, Norton, Fsecure and Kaspersky none of them can solve the problem and ive done that in windows safemode and in normal mode. Ive also tried tons of spyware etc and i even tried Vundofix 7.0.6 and couple other versions, so if anyone can help me id really preciate it ! Heres my HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:31:11, on 23.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\ASUS\Probe\AsusProb.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\V0350Mon.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\PnkBstrA.exe C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe C:\WINDOWS\System32\PnkBstrB.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AdwareAlert\AdwareAlert.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\program files\avira\antivir personaledition classic\avcenter.exe C:\Program Files\WinRAR\WinRAR.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {38DED7EA-C794-4628-90F1-739CB0BF27B5} - C:\WINDOWS\system32\geBuvuUL.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\Bitcomet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: (no name) - {6C350DFC-885F-4296-82E3-6428DD982099} - C:\WINDOWS\system32\opnoPjhe.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: {91ac753a-fc30-49f9-a004-d7b18090def7} - {7fed0908-1b7d-400a-9f94-03cfa357ca19} - C:\WINDOWS\system32\jiqyot.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C056122C-EB05-4D9B-8CF0-E51A36964DCB} - (no file) O2 - BHO: (no name) - {C1EDA7D2-3250-480D-8001-DDC6D579E03D} - (no file) O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [Microsoft Updote] posuh.exe O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\RunServices: [Microsoft Updote] posuh.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Live! Cam Manager] C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe O4 - HKCU\..\Run: [BitComet] "G:\Bitcomet\BitComet.exe" /tray O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\Bitcomet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\Bitcomet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\Bitcomet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?604bca929ff94c308145d4ad5c91bd5f O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?604bca929ff94c308145d4ad5c91bd5f O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\Bitcomet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130767884463 O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab O20 - AppInit_DLLs: jiqyot.dll O20 - Winlogon Notify: opnoPjhe - C:\WINDOWS\SYSTEM32\opnoPjhe.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11296 bytes
Hi Les26 Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required. Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop. Configuring Malwarebytes • Click on the tab Settings. • Make sure only these boxes are checked: Code: Terminate Internet Explorer Automatically save and display logfile after removal Always scan memory objects Always scan registry objects Always scan filesystem Always scan extra and heuristics objects Updating Malwarebytes • Click on the tab Update. • Press the button Check for Updates • Wait for Malwarebytes to be fully updated. Scanning Time • Click on the tab Scanner. • Check Perform full scan and click on Scan • Wait for the scan to complete, and then click on Show Results. • Make sure all items are checked, then click on Remove Selected. **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately. Post A Log • A text box will pop up after the removal process is over. Post the contents of the text here. • If no text box pops up, launch Malwarebytes, and click on the tab Logs. • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open. • Post the log here. Best Regards
hi, thanks for answering, i couldnt update malwarebytes anti-malware since for some reason somthing is blocking what ever im trying to download from internet, but luckily i got the program via my another comp. Heres the log: Malwarebytes' Anti-Malware 1.30 Database version: 1306 Windows 5.1.2600 Service Pack 2 24.10.2008 10:50:14 mbam-log-2008-10-24 (10-50-14).txt Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|) Objects scanned: 172459 Time elapsed: 1 hour(s), 5 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 3 Registry Keys Infected: 18 Registry Values Infected: 7 Registry Data Items Infected: 3 Folders Infected: 12 Files Infected: 52 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\geBuvuUL.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\jiqyot.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\opnoPjhe.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c350dfc-885f-4296-82e3-6428dd982099} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnopjhe (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6c350dfc-885f-4296-82e3-6428dd982099} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fed0908-1b7d-400a-9f94-03cfa357ca19} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7fed0908-1b7d-400a-9f94-03cfa357ca19} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f245958d-0285-4874-82df-348f5daf5e52} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{f245958d-0285-4874-82df-348f5daf5e52} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{755c6bc2-a679-4025-84d3-4ae283a87b14} (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{755c6bc2-a679-4025-84d3-4ae283a87b14} (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6c350dfc-885f-4296-82e3-6428dd982099} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.mfc\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.crt\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebuvuul -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebuvuul -> Delete on reboot. Folders Infected: C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\opnoPjhe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\jiqyot.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\geBuvuUL.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\LUuvuBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\LUuvuBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cnajxcyd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dycxjanc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\CH3Q4L3B\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\CH3Q4L3B\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\HVB2CTG9\ico[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\HVB2CTG9\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\HVB2CTG9\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\RVPHM363\ico[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\WWGP79V2\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Local Settings\Temporary Internet Files\Content.IE5\WWGP79V2\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\My Documents\Vastaanotetut tiedostot\WGA patch\Windows XP.exe (Malware.Tool) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1A2955AD-7259-4409-96C1-CD097A4C846A}\RP816\A0274831.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1A2955AD-7259-4409-96C1-CD097A4C846A}\RP818\A0277025.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1A2955AD-7259-4409-96C1-CD097A4C846A}\RP818\A0277039.exe (Trojan.LowZones) -> Quarantined and deleted successfully. C:\WINDOWS\system32\anqjqg.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\efofsq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hgGwVOeE.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hkuvbthc.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mfkrmxkd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qjriexoa.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wvUlMDsQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wvUnMdAQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully. G:\System Volume Information\_restore{1A2955AD-7259-4409-96C1-CD097A4C846A}\RP817\A0274870.exe (Trojan.Dropper) -> Quarantined and deleted successfully. G:\System Volume Information\_restore{1A2955AD-7259-4409-96C1-CD097A4C846A}\RP817\A0274871.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\DataBase.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Log\log_2008_01_06_17_22_04.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Log\log_2008_01_06_17_27_40.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Log\log_2008_01_06_17_28_52.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Registry Backups\2008-01-06_17-25-44.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Program Files\RegistrySmart\Registry Backups\2008-01-06_17-32-41.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert on the Web.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert\Log\2008 Oct 24 - 09_29_13 AM_250.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\RegistrySmart\Log\2008 Jan 06 - 04_54_11 PM_250.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\Documents and Settings\Les\Application Data\RegistrySmart\Log\2008 Jan 06 - 04_54_14 PM_390.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully. atleast now im not experiensing any popups nor my antivir isnt complaining anything, and now i can download update from internet in that malwarebytes so seems like problem solved.. But ill do another scan now since i got anti-malware updated.. I did a quick scan after i got updated and heres the log : Malwarebytes' Anti-Malware 1.30 Database version: 1311 Windows 5.1.2600 Service Pack 2 24.10.2008 11:14:31 mbam-log-2008-10-24 (11-14-31).txt Scan type: Quick Scan Objects scanned: 59793 Time elapsed: 10 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6c350dfc-885f-4296-82e3-6428dd982099} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) im going to reboot and do i normal scan since it still showed Vundo was in registry...
Hey Les26 Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. After that, post a new HijackThis log and tell me what problems you have left. Best Regards
Hi heres my combofix log: ComboFix 08-10-23.06 - Les 2008-10-24 12:49:47.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT 3:00] Running from: G:\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Les\Application Data\inst.exe C:\setup.exe C:\WINDOWS\system32\cfLTtBeg.ini C:\WINDOWS\system32\cfLTtBeg.ini2 C:\WINDOWS\system32\hkfiqkcp.ini C:\WINDOWS\system32\nWGjmnnn.ini C:\WINDOWS\system32\nWGjmnnn.ini2 C:\WINDOWS\system32\tijrgmhw.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JAVA ((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 ))))))))))))))))))))))))))))))) . 2008-10-24 09:35 . 2008-10-24 09:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-24 09:35 . 2008-10-24 09:35 <DIR> d-------- C:\Documents and Settings\Les\Application Data\Malwarebytes 2008-10-24 09:35 . 2008-10-24 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-24 09:35 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-24 09:35 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-23 18:30 . 2008-10-23 18:30 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-22 13:46 . 2008-10-22 17:54 <DIR> d-------- C:\Documents and Settings\Administrator 2008-10-22 12:07 . 2008-10-22 12:07 <DIR> d-------- C:\VundoFix Backups 2008-10-21 13:02 . 2008-10-21 17:11 135 --a------ C:\WINDOWS\Mp3CutterJoiner.ini 2008-10-21 12:57 . 2008-10-21 17:10 <DIR> d-------- C:\My Music 2008-10-21 12:56 . 2008-10-21 12:56 <DIR> d-------- C:\Program Files\AudioToolsFactory 2008-10-21 12:56 . 2004-12-08 13:21 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll 2008-10-21 12:56 . 2004-08-02 15:09 450,560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll 2008-10-21 12:56 . 2002-01-05 14:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2008-10-21 12:56 . 2004-12-01 14:43 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll 2008-10-21 12:56 . 2003-08-07 14:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-10-21 12:56 . 2004-05-20 14:24 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2008-10-21 12:56 . 2003-12-08 12:49 116,304 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx 2008-10-21 12:56 . 2008-10-21 17:11 5 --a------ C:\WINDOWS\system32\SySMP3CutJoin.dat 2008-10-20 22:01 . 2004-08-04 10:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe 2008-10-20 22:01 . 2004-08-04 10:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe 2008-10-20 22:01 . 2004-08-04 10:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll 2008-10-20 22:01 . 2004-08-04 10:56 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll 2008-10-20 22:01 . 2004-08-04 10:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2008-10-20 22:01 . 2004-08-04 10:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll 2008-10-17 13:44 . 2003-09-13 16:25 15,700 --a------ C:\Cannibal_Corpse_-_Stripped_Raped_And_Strangled-3509.gp3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-24 09:53 6,734,368 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-24 08:18 96,548 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-22 18:22 --------- d-----w C:\Documents and Settings\Les\Application Data\Vso 2008-10-22 11:44 2,266,624 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2008-09-14 09:25 --------- d-----w C:\Program Files\dvdSanta 2008-09-08 17:19 --------- d-----w C:\Documents and Settings\Les\Application Data\Skype 2008-09-05 12:58 --------- d-----w C:\Program Files\SlySoft 2008-09-05 12:20 --------- d-----w C:\Documents and Settings\Les\Application Data\Nero 2008-09-05 12:18 --------- d-----w C:\Program Files\Common Files\Nero 2008-09-05 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-09-05 12:15 --------- d-----w C:\Program Files\Nero 2008-09-05 12:06 --------- d-----w C:\Program Files\Ahead 2008-08-04 08:21 2,563,800 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2007-05-17 10:37 47,360 ----a-w C:\Documents and Settings\Les\Application Data\pcouffin.sys 2004-03-11 11:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2001-08-23 12:00 94,784 --sha-w C:\WINDOWS\twain.dll 2004-08-04 07:56 50,688 --sha-w C:\WINDOWS\twain_32.dll 2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll 2004-08-04 07:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe . ------- Sigcheck ------- 2005-05-25 22:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-01-13 20:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 2006-04-20 14:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys 2006-04-20 15:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 13:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 14:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 14:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2006-04-20 14:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-04 09:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 2005-05-25 22:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 2004-08-04 09:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2002-08-29 11:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys 2008-06-06 19:13 359808 f4dd02b880dd00888187201cbbc3ffaf C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2008-06-07 21:04 360064 907e6ccef6a51bc9873e36dbf10950db C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys 2004-08-04 09:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS 2008-04-13 22:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys 2008-07-26 13:19 360320 3adce4790f591bf160a94f6f08039577 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2008-07-26 13:19 360320 3adce4790f591bf160a94f6f08039577 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-05-02 151552] "BitComet"="G:\Bitcomet\BitComet.exe" [2008-06-03 2596152] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352] "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768] "ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-02 185784] "V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-08-23 28672] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-24 266497] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344] "ATIPTA"="atiptaxx.exe" [2006-02-22 C:\WINDOWS\system32\atiptaxx.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=jiqyot.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "E:\\settlers 6\\base\\bin\\Settlers6.exe"= "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"= "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "18424:TCP"= 18424:TCP:BitComet 18424 TCP "18424:UDP"= 18424:UDP:BitComet 18424 UDP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-21 22336] R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 17952] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-24 45376] R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 98488] R3 VF0350Afx;VF0350 Audio FX;C:\WINDOWS\system32\Drivers\V0350Afx.sys [2007-06-11 142656] R3 VF0350Vfx;VF0350 Video FX;C:\WINDOWS\system32\DRIVERS\V0350VFx.sys [2007-03-05 7424] R3 VF0350Vid;Live! Cam Video IM (VF0350);C:\WINDOWS\system32\DRIVERS\V0350Vid.sys [2007-08-29 170368] S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-17 171264] S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys [ ] . Contents of the 'Scheduled Tasks' folder 2008-10-21 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe [] 2008-10-21 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart [] 2008-10-24 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] 2007-04-29 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe [2006-05-09 17:23] 2008-10-24 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-30 11:17] 2008-10-21 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-30 11:17] . - - - - ORPHANS REMOVED - - - - BHO-{C056122C-EB05-4D9B-8CF0-E51A36964DCB} - (no file) BHO-{C1EDA7D2-3250-480D-8001-DDC6D579E03D} - (no file) SafeBoot-Java . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Les\Application Data\Mozilla\Firefox\Profiles\jurqkuvk.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.fi/ FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvlc.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-24 12:58:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe . ************************************************************************** . Completion time: 2008-10-24 13:04:23 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-24 10:04:16 Pre-Run: 3 182 624 768 bytes free Post-Run: 4,040,167,424 bytes free 223 --- E O F --- 2008-07-22 20:38:25
And heres my new HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:07:32, on 24.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\System32\PnkBstrB.exe C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\ASUS\Probe\AsusProb.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\V0350Mon.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\avira\antivir personaledition classic\avcenter.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\Bitcomet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Live! Cam Manager] C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe O4 - HKCU\..\Run: [BitComet] "G:\Bitcomet\BitComet.exe" /tray O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\Bitcomet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\Bitcomet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\Bitcomet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?604bca929ff94c308145d4ad5c91bd5f O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?604bca929ff94c308145d4ad5c91bd5f O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\Bitcomet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130767884463 O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab O20 - AppInit_DLLs: jiqyot.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10403 bytes
Hey Les26 Please run HijackThis. • Click on the button which says Main Menu, then Do a system scan only. • Please wait for the scan to be completed. • After the scan has completed, check the following entries. Code: O20 - AppInit_DLLs: jiqyot.dll Click on the button Fix checked NOTE:: Close all browsers before fixing anything. Do you recognize this proxy? proxy.dial.inet.fi What problems do you have left? Best Regards
Hi i had to go to work after my last post (working as a seaman). i will try that on monday when i get home again, proxy.dial.inet.fi was my 1st internet providers explorer proxy. now that i dont have that internet provider anymore may i delete it? when i left home today my comp seemed like 500% faster that it was even before that vundo infected my comp. so i think that vundo wasnt my only problem =) I really really thank you so much , that vundo opened popups like in every 2 secs and seemed like it downloaded other viruses aswell and i saw that suddenly i had some adwarealert program too, even i surely didnt istall that and i saw that i one popup window there was my c:\ root in as a ftp server... i'll be in touch on monday/tuesday when i get home... But again thanks so much!
Hey Les26 You're welcome. I understand your relief... You can fix these entries as well: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;<local> Best Wishes
hi, got back from work, fixed those proxy things, comp seems to work like a charm ! Thanks, couldnt manage without you !
