Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Vundo problems Vundo problems
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Closed Thread
 
Thread Tools
Old 06-09-2008, 10:44 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 2
OS: Win XP SP3


Thumbs Down Vundo problems
Hi,

I'm having problems with Vundo. I keep getting a message from McAfee. The main symptom is loads of popups when I'm using the Internet for antispyware sites.

I've tried a number of different things but have failed to remove it.

I have attached the log from Panda and the 'extra' one from DSS. The main log from DSS is included below.

Thanks, in advance, for your help.

JEZ

Quote:
Deckard's System Scanner v20071014.68
Run by ja-2100 on 2008-06-09 18:02:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-09 17:02:27 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-06-09 10:26:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 18:04:54
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nwtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe
C:\Documents and Settings\ja-2100\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talkonline/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://comshare/deciweb/NEC/Login/main.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://talkonline
O1 - Hosts: 213.86.71.217 testing.munich
O1 - Hosts: 192.168.101.28 itesting.munich
O2 - BHO: (no name) - {220839D2-6FF5-4074-8A70-CC6BFF1FD19D} - C:\WINDOWS\system32\jkkICvts.dll (file missing)
O2 - BHO: {f33cc64f-fc0e-202b-c244-24a3e94ab973} - {379ba49e-3a42-442c-b202-e0cff46cc33f} - C:\WINDOWS\system32\jwqpvobb.dll
O2 - BHO: (no name) - {4A675117-BD74-45D2-AB3E-682B43FB0252} - C:\WINDOWS\system32\jkkJbAPh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll
O2 - BHO: SecureLogin IESSO Browser Helper Object - {7DE7B623-A17E-4A0B-94BA-D1B3BA646792} - C:\Program Files\Novell\SecureLogin\iesso.dll
O2 - BHO: (no name) - {801BF87E-A000-11D3-81FE-00902741DE09} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SecureLogin - Taskbar App] "C:\Program Files\Novell\SecureLogin\slproto.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [42217e54] rundll32.exe "C:\WINDOWS\system32\wryilfih.dll",b
O4 - HKLM\..\Run: [BM41124dc8] Rundll32.exe "C:\WINDOWS\system32\tckftqnu.dll",s
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: naldesk.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Symantec Backup Exec Desktop Agent.lnk = C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/downlo...4/clearadj.cab
O17 - HKLM\Software\..\Telephony: DomainName = necgroup.lan
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{EEC164E9-DEB4-421C-90BA-60FA06830CF3}: NameServer = 172.16.80.62,172.16.80.19
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = necgroup.lan
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = necgroup.lan
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = necgroup.lan
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec Backup Exec Desktop Agent Change Journal Reader (DLOChangeJournalSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe


--
End of file - 15043 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; Lenovo Group Limited; ThinkPad OnScreenDisplay>
R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services (NWSNS)) - c:\windows\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S2 acs (Atheros Configuration Service) - c:\windows\system32\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)>
S2 MioNet - "c:\program files\mionet\mionetmanager.exe" -s "c:\program files\mionet\wrapper.conf"
S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: ACPI\ATM1200\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\ATM1200\4&38462492&0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-09 18:01:06 362 --a------ C:\WINDOWS\Tasks\DLOClientu.exe - NEC-GROUP_ja-2100.job
2008-06-09 17:59:00 304 --a------ C:\WINDOWS\Tasks\PMTask.job
2008-06-09 17:58:51 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-27 14:53:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 11:22:46 0 d-------- C:\Program Files\Trend Micro
2008-06-09 0906 82944 --a------ C:\WINDOWS\system32\wryilfih.dll
2008-06-08 20:48:34 91648 --a------ C:\WINDOWS\system32\tckftqnu.dll
2008-06-06 16:10:00 0 d-------- C:\Program Files\Panda Security
2008-06-06 14:10:01 95744 --a------ C:\WINDOWS\system32\jwqpvobb.dll
2008-06-06 14:07:01 91136 --a------ C:\WINDOWS\system32\euvtnsrx.dll
2008-06-06 11:36:29 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-06 11:18:54 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 11:18:23 0 d-------- C:\Program Files\Spyware Doctor
2008-06-06 11:18:23 0 d-------- C:\Documents and Settings\ja-2100\Application Data\PC Tools
2008-06-05 14:03:59 516034 --ahs---- C:\WINDOWS\system32\hPAbJkkj.ini2
2008-06-05 14:03:54 280576 --a------ C:\WINDOWS\system32\jkkJbAPh.dll
2008-06-05 12:51:00 500297 --ahs---- C:\WINDOWS\system32\ihRCdcdd.ini2
2008-06-05 11:38:38 509203 --ahs---- C:\WINDOWS\system32\UxEOnnmp.ini2
2008-06-05 11:10:22 0 d-------- C:\Program Files\Windows Defender
2008-06-04 13:04:25 513910 --ahs---- C:\WINDOWS\system32\stvCIkkj.ini2
2008-06-04 12:34:41 0 d-------- C:\Documents and Settings\ja-2100\Application Data\ICAClient
2008-06-04 12:32:35 0 d-------- C:\Program Files\Citrix
2008-06-04 09:12:20 0 d-------- C:\Documents and Settings\ja-2100\Application Data\MioNet
2008-06-04 09:11:52 0 d-------- C:\Program Files\MioNet
2008-06-03 09:49:47 0 d-------- C:\Program Files\SyncToy 2.0 Beta
2008-06-03 09:49:21 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-27 14:53:21 0 d-------- C:\Program Files\Safari
2008-05-27 14:53:02 0 d-------- C:\Program Files\Apple Software Update
2008-05-20 13:15:31 0 d-------- C:\WINDOWS\Prefetch
2008-05-20 13:05:23 0 d-------- C:\WINDOWS\system32\scripting
2008-05-20 13:05:21 0 d-------- C:\WINDOWS\l2schemas
2008-05-20 13:05:20 0 d-------- C:\WINDOWS\system32\en
2008-05-20 13:05:20 0 d-------- C:\WINDOWS\system32\bits
2008-05-20 13:01:12 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-20 12:57:08 0 d-------- C:\WINDOWS\network diagnostic
2008-05-20 11:45:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-19 20:45:55 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-19 20:44:23 0 d-------- C:\Program Files\CyberLink
2008-05-19 20:26:51 0 d-------- C:\Program Files\Kontiki
2008-05-19 20:26:50 0 d-------- C:\Program Files\Channel4
2008-05-19 20:26:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-19 20:25:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-05-19 13:00:24 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Free Download Manager
2008-05-19 13:00:18 0 d-------- C:\Program Files\Free Download Manager
2008-05-19 13:00:18 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-05-19 12:28:15 0 d-------- C:\Program Files\Digital Line Detect
2008-05-19 12:27:51 0 d-------- C:\Program Files\NetWaiting
2008-05-19 12:27:49 0 d-------- C:\Documents and Settings\ja-2100\Application Data\InstallShield
2008-05-19 12:27:14 0 d-------- C:\Program Files\CONEXANT
2008-05-19 12:25:10 188 --a------ C:\WINDOWS\x
2008-05-19 12:24:00 16384 -----n--- C:\WINDOWS\PWMBTHLP.EXE
2008-05-19 12:23:59 4442 -----n--- C:\WINDOWS\system32\drivers\TPPWRIF.SYS
2008-05-19 12:22:39 4608 -----n--- C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2008-05-19 12:21:32 0 d-------- C:\Program Files\ThinkPad
2008-05-15 15:38:07 0 d-------- C:\Documents and Settings\ja-2100\Application Data\InfraRecorder
2008-05-14 19:40:32 0 d-------- C:\Program Files\Lexmark Z700-P700 Series
2008-05-14 19:39:24 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-05-14 14:41:32 0 d-------- C:\Program Files\HumanConcepts
2008-05-14 14:41:32 0 d-------- C:\Program Files\Common Files\HumanConcepts
2008-05-14 12:46:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-13 16:49:31 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2008-05-13 15:11:12 3772247 --a------ C:\WINDOWS\FramePkg.exe <Not Verified; McAfee, Inc.; McAfee Common Framework>
2008-05-13 12:40:55 0 d-------- C:\Documents and Settings\ja-2100\Application Data\dvdcss
2008-05-12 10:46:40 0 d-------- C:\Documents and Settings\ja-2100\Application Data\vlc
2008-05-12 10:44:01 0 d-------- C:\Program Files\VideoLAN
2008-05-12 09:41:33 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Apple Computer
2008-05-12 09:41:10 0 d-------- C:\Program Files\iPod
2008-05-12 09:40:59 0 d-------- C:\Program Files\iTunes
2008-05-12 09:39:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 09:38:16 0 d-------- C:\Program Files\Common Files\Apple
2008-05-12 09:38:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-09 09:40:42 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Research In Motion


-- Find3M Report ---------------------------------------------------------------

2008-05-20 1303 0 d-------- C:\Program Files\Messenger
2008-05-20 13:05:19 0 d-------- C:\Program Files\Movie Maker
2008-05-20 13:00:45 0 d-------- C:\Program Files\Windows NT
2008-05-19 20:44:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 12:22:36 0 d-------- C:\Program Files\Lenovo
2008-05-15 16:47:53 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Adobe
2008-05-14 14:41:32 0 d-------- C:\Program Files\Common Files
2008-05-12 09:40:43 0 d-------- C:\Program Files\Bonjour
2008-05-12 09:40:03 0 d-------- C:\Program Files\QuickTime
2008-05-07 10:27:14 0 d-------- C:\Program Files\MSECache
2008-04-28 10:50:09 376832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>
2008-04-28 10:49:14 0 d-------- C:\Program Files\Intel
2008-04-25 12:59:30 0 d-------- C:\Documents and Settings\ja-2100\Application Data\WebTrends
2008-04-25 12:58:49 0 d-------- C:\Program Files\WebTrends Report Exporter
2008-04-25 10:53:23 0 d-------- C:\Program Files\Java
2008-04-25 10:41:15 0 d-------- C:\Program Files\Common Files\Lenovo
2008-04-25 10:35:05 0 d-------- C:\Program Files\ThinkVantage Fingerprint Software
2008-04-25 10:30:20 0 d-------- C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-04-24 18:03:52 0 d-------- C:\Program Files\Fiddler2
2008-04-24 14:34:42 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Blackberry Desktop
2008-04-24 14:34:36 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-04-24 14:34:09 0 d-------- C:\Program Files\Research In Motion
2008-04-24 12:45:02 0 d-------- C:\Program Files\SecondLife
2008-04-24 12:40:35 0 d-------- C:\Documents and Settings\ja-2100\Application Data\SecondLife
2008-04-23 15:33:23 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Sun
2008-04-23 15:32:04 0 d-------- C:\Program Files\Common Files\Java
2008-04-23 14:53:05 0 d-------- C:\Program Files\PC Inspector File Recovery
2008-04-23 13:58:12 0 d-------- C:\Documents and Settings\ja-2100\Application Data\U3
2008-04-23 10:30:09 0 d-------- C:\Documents and Settings\ja-2100\Application Data\GlobalSCAPE
2008-04-23 10:29:42 0 d-------- C:\Program Files\GlobalSCAPE
2008-04-22 17:19:51 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-22 11:04:28 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Roxio
2008-04-22 10:44:32 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-22 10:41:43 0 d-------- C:\Program Files\Roxio
2008-04-22 10:40:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-22 09:40:38 0 d-------- C:\Program Files\Microsoft Visual SourceSafe
2008-04-22 09:39:37 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-22 08:42:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-22 08:35:52 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Macromedia
2008-04-22 08:34:20 0 d-------- C:\Documents and Settings\ja-2100\Application Data\SecureLogin
2008-04-21 16:45:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-21 16:45:16 0 d-------- C:\Documents and Settings\ja-2100\Application Data\Mozilla
2008-04-21 16:31:59 0 d-------- C:\Program Files\Novell
2008-04-21 16:31:20 0 d-------- C:\Program Files\MessageAlert
2008-04-21 16:24:32 0 d-------- C:\Program Files\Symantec
2008-04-21 16:24:32 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-21 16:08:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-21 16:08:17 0 d-------- C:\Program Files\Microsoft.NET
2008-04-21 15:22:21 0 d-------- C:\Program Files\Hitec Laboratories
2008-04-21 13:44:56 0 d-------- C:\Program Files\McAfee
2008-04-21 13:44:56 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-21 13:44:27 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-21 13:33:09 0 d-------- C:\Program Files\CUAgent
2008-04-21 13:31:48 0 d-------- C:\Program Files\Analog Devices
2008-03-18 16:56:27 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-18 16:49:25 62 --ahs---- C:\Documents and Settings\ja-2100\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220839D2-6FF5-4074-8A70-CC6BFF1FD19D}]
C:\WINDOWS\system32\jkkICvts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379ba49e-3a42-442c-b202-e0cff46cc33f}]
06/06/2008 14:10 95744 --a------ C:\WINDOWS\system32\jwqpvobb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A675117-BD74-45D2-AB3E-682B43FB0252}]
05/06/2008 14:03 280576 --a------ C:\WINDOWS\system32\jkkJbAPh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [15/08/2007 16:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [15/08/2007 16:07]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [15/08/2007 16:07]
"BluetoothAuthenticationAgent"="bthprops.cpl" [14/04/2008 05:42 C:\WINDOWS\system32\bthprops.cpl]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [11/12/2007 11:11]
"NWTRAY"="NWTRAY.EXE" [12/03/2002 12:37 C:\WINDOWS\system32\nwtray.exe]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [24/01/2008 20:50]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [14/04/2008 05:42]
"SecureLogin - Taskbar App"="C:\Program Files\Novell\SecureLogin\slproto.exe" [24/08/2004 17:11]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22/10/2006 23:24]
"@"="" []
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20/03/2007 16:40]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [25/09/2004 07:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [14/08/2007 15:32]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [04/03/2008 10:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 03:06]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [24/01/2008 10:21]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [27/04/2007 02:33]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [26/03/2008 03:06]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [11/01/2008 01:30]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [11/01/2008 01:30]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 20:24]
"MioNet"="C:\Program Files\MioNet\MioNetLauncher.exe" [14/01/2008 14:16]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"42217e54"="C:\WINDOWS\system32\wryilfih.dll" [09/06/2008 09:06]
"BM41124dc8"="C:\WINDOWS\system32\tckftqnu.dll" [08/06/2008 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [28/02/2007 23:06]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 14/08/2007 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 06/09/2006 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 14/12/2007 16:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0 C:\WINDOWS\system32\jkkJbAPh
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-73586283-725345543-10199\Scripts\Logon\0\0]
"Script"=\\grpdc01\netlogon\drive_map.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1993962763-73586283-725345543-2810\Scripts\Logon\0\0]
"Script"=\\grpdc01\NETLOGON\drive_map.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57a651f9-1115-11dd-9d03-0016cfe24fb7}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de17917e-11d3-11dd-9d04-0016cfe24fb7}]
Auto\command- Y:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe




-- Hosts -----------------------------------------------------------------------

213.86.71.217 testing.munich
192.168.101.28 itesting.munich


-- End of Deckard's System Scanner: finished at 2008-06-09 18:08:16 ------------
Attached Files
File Type: txt extra.txt (19.2 KB, 1 views)
File Type: txt ActiveScan.txt (27.0 KB, 1 views)
jezzie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-11-2008, 12:43 AM   #2 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 1,897
OS: Vista, Ubuntu 8.04


Re: Vundo problems
Hi jezzie

Please don't wrap your posts in quote boxes

Please read this post completely before beginning the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

=================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

=================


Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer.

Alternate link

Make sure you close down EVERY open window and close ALL browser windows. The only thing that should be open is the HijackThis program.

Double-click on the file you just downloaded.
Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

  • If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
  • If not, run a scan and save the log file.
  • Copy the text file (Ctrl+A then Ctrl+C) and paste it here.
  • Do not fix any entries in HijackThis since they may be harmless.
  • Make sure to include the System information at the top of the log as well.

=================

In your next post, please include fresh logs from:
  • ComboFix.txt
  • HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
Last edited by alba : 06-11-2008 at 12:44 AM.
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-19-2008, 04:56 AM   #3 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 2
OS: Win XP SP3


Re: Vundo problems
Hi,

When I dragged the downloaded file from Microsoft onto ComboFix.exe I got a stack of virus and spyware alerts. McAfee found RemAdm-ProcLaunch!171 and Spyware Doctor found Trojan-PWS.Bancos and Backdoor.VB.AYS.

Obviously I didn't continue - what should I do?

Thanks
jezzie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-19-2008, 08:25 AM   #4 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 1,897
OS: Vista, Ubuntu 8.04


Re: Vundo problems
Hi jezzie

That is because the were probably brought down the viruses that is already on your PC it was only a coincidence that they popped up when you were dragging the file. I have reposted the instructions please follow them

===============================

We will begin with ComboFix.exe.

Please ensure you install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Disabling AntiSpyware Programs

    WINDOWS DEFENDER
    • Click Start > Programs > Windows Defender or launch from the system tray icon.
    • Click on Tools & Settings > Options.
    • Under Real-time protection options, uncheck the "Real-time protection" check box.
    • Click Save.
    • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
    • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)

    SPY SWEEPER
    • Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
    • On the left click "shields" and then uncheck everything there.
    • Uncheck "home page shield".
    • Uncheck "automatically restore default without notification".
    • Exit the program.
    • (When we are done, you can re-enable it using the same steps but this time reverse them.)

    MCAFEE ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a sign.
    • right-click it -> chose "Exit."
    • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
    • (When we are done, you can re-enable it using the same steps but this time reverse them.)
    You succesfully disabled the McAfee Guard.

  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

=================

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer.

Alternate link

Make sure you close down EVERY open window and close ALL browser windows. The only thing that should be open is the HijackThis program.

Double-click on the file you just downloaded.
Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

  • If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
  • If not, run a scan and save the log file.
  • Copy the text file (Ctrl+A then Ctrl+C) and paste it here.
  • Do not fix any entries in HijackThis since they may be harmless.
  • Make sure to include the System information at the top of the log as well.

=================

In your next post, please include fresh logs from:
  • ComboFix.txt
  • HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
Last edited by alba : 06-19-2008 at 08:28 AM.
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Closed Thread

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:22 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82