|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-22-2007, 10:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
VundoFix can't remove Vundo even in safe mode :(
Hello, first of all thanks a lot for your help and time!
After running Ad-aware scan I found cbxxy.dll in my computer. I read I should run VundoFix. I ran it several times even in safe mode. I think it rebooted my computer six times, but it couldn't erase it. Also, I have Norton Personal Firewall, but all of the sudden it is permanently disabled :( and I can't seem to enable it anyway... I've tried several things but it's not working... My computer is getting too slow and the sound is failing in times... Again thanks a lot for the help :). Here is my HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:55:58, on 22/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe C:\Archivos de programa\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\NMain.exe C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Jazmin') O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" (User 'Jazmin') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59 O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing) O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 8841 bytes |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-24-2007, 10:49 AM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-28-2007, 09:48 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello!
First of all, thank you very much for your help and attention. I did what you asked me. Here is the ComboFix log: ComboFix 07-07-27.6 - "Alith" 2007-07-28 9:10:20.1 [GMT -6:00] - FAT32 [SAFE MODE] Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ddaba.dll C:\WINDOWS\system32\gcqerbgw.dll C:\WINDOWS\system32\jvupucfo.dll C:\WINDOWS\system32\sdvxloyg.dll C:\WINDOWS\system32\mqtbxyrr.exe C:\WINDOWS\system32\gcqerbgw.dll C:\WINDOWS\system32\wineti32.dll C:\WINDOWS\system32\yxxbc.bak2 C:\WINDOWS\system32\yxxbc.ini C:\WINDOWS\system32\tuvvspq.dll C:\WINDOWS\system32\cbxxy.dll C:\WINDOWS\system32\tuvvspq.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\system32\tuvvspq.dll C:\WINDOWS\system32\cbxxy.dll C:\WINDOWS\system32\tuvvspq.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Archivos de programa\inetget2 C:\Archivos de programa\inetget2\popinstall.exe C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\#SharedObjects\BLY98RKL\www.broadcaster.com C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\DOCUME~1\ALLUSE~1\DATOSD~1\WinAntiVirus Pro 2006 C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006 C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\update.log C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\wa6Support.log C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\winav.log C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\PGE.dat C:\WINDOWS\b122.exe C:\WINDOWS\mgrs.exe C:\WINDOWS\retadpu2000352.exe C:\WINDOWS\system32\stera.job ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\vspf ((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 ))))))))))))))))))))))))))))))) 2007-07-28 08:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-27 16:23 126,016 --a------ C:\WINDOWS\system32\loorvogp.dll 2007-07-27 15:58 13,312 --a------ C:\WINDOWS\system32\s2f.exe 2007-07-26 16:40 70,312 --a------ C:\Archivos de programa\codec_setup.exe 2007-07-26 16:18 126,016 --a------ C:\WINDOWS\system32\moovsnta.dll 2007-07-25 16:30 10,240 --a------ C:\WINDOWS\system32\hlpsrv.exe 2007-07-22 19:54 <DIR> d-------- C:\VundoFix Backups 2007-07-22 19:17 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\TuneUp Software 2007-07-22 18:49 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\Lavasoft 2007-07-21 16:23 266,336 --------- C:\WINDOWS\system32\cbxxy.dll 2007-07-21 16:22 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys 2007-07-21 16:22 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys 2007-07-21 16:11 <DIR> d-------- C:\Archivos de programa\Audio FlashCards (Japanese) 2007-07-21 14:50 31,254 --------- C:\WINDOWS\system32\tuvvspq.dll 2007-07-21 14:29 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys 2007-07-21 14:29 <DIR> d-------- C:\Archivos de programa\DAEMON Tools 2007-07-21 14:21 96,256 --a------ C:\WINDOWS\system32\drivers\sptd8509.sys 2007-07-21 14:21 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-07-03 15:31 <DIR> d-------- C:\DOCUME~1\Jazmin\Contacts 2007-07-03 14:15 <DIR> d-------- C:\DOCUME~1\Jazmin\Incomplete 2007-07-03 14:14 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\LimeWire 2007-07-01 21:50 <DIR> d-------- C:\Archivos de programa\Silkroad 2007-06-29 14:58 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\uTorrent (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-28 09:28 4672 --a------ C:\WINDOWS\system32\uqipwytd.exe 2007-07-28 09:24 12660 --a------ C:\WINDOWS\system32\tablet.dat 2007-07-14 14:26 95380 --a------ C:\WINDOWS\system32\perfc00A.dat 2007-07-14 14:26 503656 --a------ C:\WINDOWS\system32\perfh00A.dat 2007-06-17 16:06 --------- d-------- C:\Archivos de programa\Glidden 2007-06-17 16:05 724992 --a------ C:\WINDOWS\iun600.exe 2007-06-07 18:10 --------- d-------- C:\Archivos de programa\Slide 2007-05-30 10:56 3805 --a------ C:\WINDOWS\mozver.dat 2007-05-28 21:51 --------- d-------- C:\DOCUME~1\Alith\DATOSD~1\SolidDocuments 2007-05-28 21:50 --------- d-------- C:\Archivos de programa\SolidDocuments 2007-05-27 20:45 --------- d-------- C:\Archivos de programa\IrfanView 2007-05-25 19:18 201728 --a------ C:\WINDOWS\system32\Piratas del Caribe En el Fin del Mundo.scr 2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-04-16 10:35 80760 --a------ C:\DOCUME~1\Alith\DATOSD~1\GDIPFONTCACHEV1.DAT ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}] 2007-07-21 14:50 31254 --------- C:\WINDOWS\system32\tuvvspq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE92AB68-810E-48AD-B489-9AE2B4BC9CEF}] 2007-07-21 16:23 266336 --------- C:\WINDOWS\system32\cbxxy.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iamapp"="C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE" [2001-08-30 01:32] "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "DAEMON Tools"="C:\Archivos de programa\DAEMON Tools\daemon.exe" [2005-12-10 08:57] "MemoryManager"="C:\WINDOWS\system32\svwoolij.dll" [2007-07-28 09:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:42] "MsnMsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] "swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 17:09] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{857A461D-8D96-4996-A4A0-AEA0A2535B86}"= C:\WINDOWS\system32\tuvvspq.dll [2007-07-21 14:50 31254] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxy] C:\WINDOWS\system32\cbxxy.dll 2007-07-21 16:23 266336 C:\WINDOWS\system32\cbxxy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvspq] tuvvspq.dll 2007-07-21 14:50 31254 C:\WINDOWS\system32\tuvvspq.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblh32] winblh32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xcttgs] xcttgs.dll 1980-01-01 00:00 46172 C:\WINDOWS\system32\xcttgs.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgs.sys] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alith^Menú Inicio^Programas^Inicio^HotSync Manager.lnk] path=C:\Documents and Settings\Alith\Menú Inicio\Programas\Inicio\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Reboot.exe] path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Reboot.exe backup=C:\WINDOWS\pss\Reboot.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^TabUserW.exe.lnk] path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\TabUserW.exe.lnk backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3ad8b6d1.exe] C:\WINDOWS\system32\3ad8b6d1.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aouu] "C:\Archivos de programa\ioca\oubl.exe" -vt yazr [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp] C:\WINDOWS\TEMP\win131E.tmp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] mHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox] C:\Archivos de programa\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2005\pccguide.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE] pctspk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveWGA] C:\Documents and Settings\Alith\Escritorio\RemoveWGA.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\slide.exe] c:\archivos de programa\slide\slide.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr] mgrs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop] C:\Archivos de programa\WinPop\winpop.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" -atboottime R0 PenClass;Pen Class;C:\WINDOWS\system32\drivers\PenClass.sys R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys R1 xcttgm;STK Bi 001;\??\C:\WINDOWS\system32\xcttgm.sys R2 SQLWriter;SQL Server VSS Writer;"C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe" R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys R3 FETNDIS;Controlador para NT del adaptador Fast Ethernet VIA PCI 10/100Mb;C:\WINDOWS\system32\DRIVERS\fetnd5.sys R3 ms_mpu401;Controlador UART MIDI Microsoft MPU-401;C:\WINDOWS\system32\drivers\msmpu401.sys S1 vspf_hk;vspf_hk;\??\C:\WINDOWS\system32\drivers\vspf_hk5.sys S2 NISSERV;Norton Personal Firewall Service;"C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE" S2 xcttgs;STK Bi 002;\??\C:\WINDOWS\system32\xcttgm.sys S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys S3 Tomcat6;Apache Tomcat;"C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;"C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe" S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS S3 VSPerfDrv;Performance Tools Driver;\??\C:\Archivos de programa\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 S4 SQLBrowser;SQL Server Browser;"C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlbrowser.exe" S4 W3stuvc;W3stuvc;C:\WINDOWS\system32\edlin.exe Contents of the 'Scheduled Tasks' folder 2007-07-27 23:22:32 C:\WINDOWS\tasks\1-Click Maintenance.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-28 09:27:42 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... C:\WINDOWS\SYSTEM32\WINLOGON.EXE [768] 0x812B1DA0 C:\WINDOWS\EXPLORER.EXE [2688] 0x811948B8 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL] "ImagePath"="\"C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Archivos de programa\MySQL\MySQL Server 4.1\my.ini\" MySQL" Completion time: 2007-07-28 9:34:04 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-28 09:34 --- E O F --- |
|
|
|
|
07-28-2007, 12:33 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello -
You're quite welcome for the help. Please also post a new HijackThis log, as requested, to help me help you. 
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-28-2007, 02:32 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Oops my mistake, here it goes!
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:30:11, on 28/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\wdfmgr.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\System32\alg.exe C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe C:\Archivos de programa\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\uqipwytd.exe C:\WINDOWS\system32\gsevxglp.exe C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\msiexec.exe C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\RunOnce: [svg_file_op1] FileOps.exe -r "C:\Archivos de programa\Archivos comunes\Adobe\SVG Viewer 3.0\Uninstall" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Sergio') O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Jazmin') O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1010\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Rita') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59 O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing) O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 7622 bytes |
|
|
|
|
07-28-2007, 04:16 PM
|
#7 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
webHancer Do NOT reboot if it's requested. --------------------------------------------------------------------------------------------- Please do this in Normal Mode, not Safe Mode. I did not ask you to run ComboFix in Safe Mode. Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
07-29-2007, 12:03 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello!
First, I didn't find WebHancer among the list of installed programs. I'm having a problem with ComboFix. When I drop the CFScript.txt file to it, it begins an AutoScan.. When it ends it reboots the computer but when I log in again ComboFix doesn't run, and the script has disappeared. Therefore it doesn't create a log.. I am not sure why does this happen... What should I do? Thanks |
|
|
|
|
07-29-2007, 12:47 PM
|
#9 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Please locate this file:
C:\ComboFix.txt and post it. Also tell me if this folder exists: C:\ComboFix
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-29-2007, 01:20 PM
|
#10 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
In C:/ all I can see is ComboFix2.txt, that's the log I had copied here the first time I ran ComboFix.
The folder ComboFix exists and inside there's a ComboFix.txt, here it is: ComboFix 07-07-28.5 - "Alith" 2007-07-29 11:50:01.6 [GMT -6:00] - FAT32 Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero Command switches used :: C:\Documents and Settings\Alith\Escritorio\CFScript.txt * Created a new restore point |
|
|
|
|
07-29-2007, 02:33 PM
|
#11 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello, Rei -
I need to consult with the tool's author. Please be patient with me, and I'll get back to you as soon as I can.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-29-2007, 03:02 PM
|
#12 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello again!
Please don't worry and take your time. My computer is quite much better since I ran ComboFix. Thank you for your help, I'll be waiting :) |
|
|
|
|
07-29-2007, 04:37 PM
|
#13 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hello, Rei -
Please recreate the script from Post #7, and perform the same steps once again. Report back with your results from that step, the log produced, and a new HijackThis log. Here it is again: Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 07-29-2007 at 04:38 PM. |
|
|
|
|
|
07-29-2007, 05:16 PM
|
#14 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
I performed the steps again.
This time before rebooting, the AutoScan windows displayed the file names (which haven't been shown before), but again after rebooting it didn't run... The ComboFix.txt file is this: ComboFix 07-07-28.5 - "Alith" 2007-07-29 16:59:07.7 [GMT -6:00] - FAT32 Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero Command switches used :: C:\Documents and Settings\Alith\Escritorio\CFScript.txt * Created a new restore point And here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:10, on 2007-07-29 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\wdfmgr.exe C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe C:\Archivos de programa\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\alg.exe C:\ARCHIV~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59 O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing) O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 7012 bytes |
|
|
|
|
07-29-2007, 06:08 PM
|
#15 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Please read these instructions carefully, and ask any questions you might have before proceeding. Take care to follow the instructions precisely.
Delete your existing version of ComboFix. Download a new copy of combofix.exe to your desktop. --> << click here >> Then download this file --> << click here >> There's 2 files within:
Do not run ComboFix.exe. Instead run 1.exe first by doubleclicking it. A black DOS window shall appear. If it runs to completion, a ComboFix.txt log will be produced. In that case, there shall be no need to run 2.exe. If the DOS window from 1.exe doesn't produce log after 15 minutes OR if the DOS window closes on it's own without producing a log, RUN 2.exe (without closing the first window). It shall produce a zipped file named catchme.zip which will be located on your Desktop This catchme.zip must be uploaded to here : http://www.bleepingcomputer.com/subm....php?channel=4
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-30-2007, 06:37 PM
|
#16 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Hi,
I followed the instructions, and this was the result. I ran 1.exe and after five or six minutes my computer rebooted and when I logged in again the window didn't appear again or anything else. Then I ran 2.exe but it didn't generate a zip file. I saw some sort of error message before the console with 2.exe disappeared, it was in Spanish so I am not sure how is the correct translation.. It says something like the command can't be recognized as an executable file or program.. I've seen that error when I try to run a program that doesn't exist. |
|
|
|
|
07-30-2007, 06:53 PM
|
#17 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
The exact error message would be helpful.
I'm not sure why ComboFix ran successfully the first time, and not since then.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-30-2007, 07:02 PM
|
#18 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
This is what it says exactly:
"sed" no se reconoce como un comando interno o externo, programa o archivo por lotes ejecutable Translation: "sed" is not recognized as an internal or external command, program or executable file. About ComboFix, the only different thing is that the first time I ran it in Safe Mode. Not sure why I apologize. But besides that nothing else changed. |
|
|
|
|
07-30-2007, 07:14 PM
|
#19 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,448
OS: 2000 Pro; XP Pro; XP Home
|
Re: VundoFix can't remove Vundo even in safe mode :(
Thanks, Rei. I'm sure that will be helpful.
I once again need to consult with the tool author. For now, can you please do this: I'd like you to rename HijackThis.exe to peek.exe.
Then run a new scan with HijackThis, save the log and post it.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-30-2007, 07:33 PM
|
#20 (permalink) |
|
Registered User
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP
|
Re: VundoFix can't remove Vundo even in safe mode :(
Here it is
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:32, on 2007-07-30 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\wdfmgr.exe C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe C:\Archivos de programa\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\Archivos de programa\Winamp\winamp.exe C:\Archivos de programa\Trend Micro\HijackThis\peek.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0772EA0F-890F-4B21-BF0B-220CCDA54DC5} - C:\WINDOWS\system32\cbxxy.dll O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {857A461D-8D96-4996-A4A0-AEA0A2535B86} - C:\WINDOWS\system32\tuvvspq.dll O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jngimsqh.dll",forkonce O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59 O20 - Winlogon Notify: cbxxy - C:\WINDOWS\system32\cbxxy.dll O20 - Winlogon Notify: tuvvspq - C:\WINDOWS\SYSTEM32\tuvvspq.dll O20 - Winlogon Notify: winblh32 - winblh32.dll (file missing) O20 - Winlogon Notify: xcttgs - C:\WINDOWS\SYSTEM32\xcttgs.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing) O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 7926 bytes |
|
|
|
| Thread Tools | |
|
|
