lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Infected by Trojon.Vundo.H. Not Able to Clean It.

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Infected by Trojon.Vundo.H. Not Able to Clean It.




Reply
Page 2 of 3 1 2 3
 
Thread Tools
  #11  
Old 19th May 2009, 03:30
Member Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi Steve,

Find the Fix.bat result:


! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs REG_MULTI_SZ
6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServ er\0DHCP\0ERSvc\0EventSystem\0ncshpgyk\0FastUserSw itchingCompatibility\0Hid
Serv\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorks tation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkst ation\0Nwsapagent\0Rasaut
o\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\ 0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\ 0W32Time\0WZCSVC\0Wmi\0Wm
dmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0 ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkm svc\0\0

Thanks,
Swami.
  #12  
Old 19th May 2009, 07:37
Malware Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi there Swami

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
NetSvc::
ncshpgyk
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Keep me updated. Let me know if your antivirus is behaving again....
__________________
Proud member of ASAP & UNITE
__________________

My System: Steves Rig

Processor(s):
AMD Athlon 64x2 6000+
Motherboard:
ASUS M3N78 Pro
RAM Memory:
Corsair 4GB Dual Channel
Graphics Card(s):
NVIDIA GeForce 8400 GS
Sound Card:
Onboard
Hard Drive(s):
640GB Western Digital HD
Optical Drive(s):
LG Lightscribe
Case / PSU:
Cooling:
Stock HSF
Network / Internet:
20Mb Virgin Media Broadband
Monitor(s):
Hanns-G 19" Widescreen
Operating System(s):
Vista Premium 64x
  #13  
Old 19th May 2009, 17:30
Member Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi Steve,

Find attached the ComboFix log.

ComboFix 09-05-15.01 - Swami 05/19/2009 20:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.591 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.
2009-05-18 23:22 . 2009-05-18 23:22 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-18 23:20 . 2009-05-18 23:20 -------- d-----w C:\KK
2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-20 00:15 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-18 23:44 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java
2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_02.17.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 01:37 . 2009-05-19 01:37 16384 c:\windows\Temp\Perflib_Perfdata_444.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-19 01:43 64774 c:\windows\system32\perfc009.dat
- 2007-06-11 16:52 . 2008-06-23 01:06 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-06-20 12:33 . 2007-06-20 12:33 86424 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\DBSHARE.DLL
+ 2007-03-23 02:05 . 2007-03-23 02:05 97632 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2007-06-11 16:52 . 2009-05-18 23:26 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-04 12:00 . 2009-05-16 00:30 409800 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-05-19 01:43 409800 c:\windows\system32\perfh009.dat
+ 2008-10-16 18:07 . 2008-10-16 18:07 208744 c:\windows\system32\muweb.dll
+ 2009-05-17 22:57 . 2009-03-09 09:19 148888 c:\windows\system32\javaws.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 148888 c:\windows\system32\javaws.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\javaw.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\javaw.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\java.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\java.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-05-29 10:02 . 2007-05-29 10:02 685608 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\SERCONV.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 223152 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJSPOOL.EXE
+ 2007-05-29 08:48 . 2007-05-29 08:48 304560 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJRESC.DLL
+ 2006-01-17 22:48 . 2006-01-17 22:48 167176 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJMSGSDR.DLL
+ 2006-01-17 22:48 . 2006-01-17 22:48 146696 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJMSGMGR.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 280496 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJ11TM11.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 951848 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJ11OD11.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 354224 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\MSWARP.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 325040 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\ATLCONV.DLL
+ 2004-08-02 15:51 . 2004-08-02 15:51 719720 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\ANLYZTS.DLL
+ 2007-06-20 12:33 . 2007-06-20 12:33 108896 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VISOCX.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 190296 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VISIO.EXE
+ 2007-06-20 12:29 . 2007-06-20 12:29 554336 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\UMLSYS.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 186264 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\SQLSHARE.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 335256 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\PDSBASE.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 469912 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\ORGCHWIZ.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 484760 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\MODELENG.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 147864 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\IMUTIL.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 537496 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\IMCOMMON.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 156056 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\DWGCNV.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 135576 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\BRTVIEW.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 868744 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\AEC.DLL
+ 2007-04-19 20:09 . 2007-04-19 20:09 167256 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2003-07-08 15:48 . 2003-07-08 15:48 115288 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2007-05-10 00:19 . 2007-05-10 00:19 2585936 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 1738160 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PRJRES.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 4323248 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\PJOLEDB.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 8296344 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VISLIB.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2279776 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VISFILT.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 7819104 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VISBRGR.DLL
+ 2007-05-10 00:19 . 2007-05-10 00:19 2585936 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 1511256 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\UML.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2715992 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\SG.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 1001880 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\ORGCHART.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2098064 c:\windows\Installer\$PatchCache$\Managed\90401509 00063D11C8EF10054038389C\11.0.8173\DWGDP.DLL
+ 2007-05-31 20:35 . 2007-05-31 20:35 6420320 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
+ 2003-07-07 17:36 . 2003-07-07 17:36 2058343 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2007-05-29 10:02 . 2007-05-29 10:02 11421704 c:\windows\Installer\$PatchCache$\Managed\9040B309 00063D11C8EF10054038389C\11.0.8173\WINPROJ.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="-" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 20:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1340)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'Explorer.exe'(3084)
c:\windows\system32\PROCHLP.DLL
.
Completion time: 2009-05-20 20:22
ComboFix-quarantined-files.txt 2009-05-20 00:21
ComboFix2.txt 2009-05-18 16:54
ComboFix3.txt 2009-05-17 22:31
ComboFix4.txt 2009-05-16 02:18
Pre-Run: 36,256,878,592 bytes free
Post-Run: 36,284,837,888 bytes free
257 --- E O F --- 2009-05-18 23:26


As far as my antivirus goes, it is still showing a message as "Symantec Antivirus Corporate Edition" is turned off and and not able to turn it back on.

Thanks,
Swami.
  #14  
Old 21st May 2009, 13:08
Malware Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi there

  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:


Code:
Firefox::
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.
__________________
Proud member of ASAP & UNITE
  #15  
Old 21st May 2009, 19:00
Member Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi Steve,

Find the log below:

ComboFix 09-05-15.01 - swami 05/21/2009 21:46.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.520 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-18 23:22 . 2009-05-18 23:22 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-18 23:20 . 2009-05-18 23:20 -------- d-----w C:\KK
2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-21 15:57 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-21 12:49 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java
2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot_2009-05-20_00.20.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 01:48 . 2009-05-22 01:48 53248 c:\windows\Temp\catchme.dll
+ 2004-08-04 12:00 . 2009-05-20 01:04 64774 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-19 01:43 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-20 01:04 409800 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-19 01:43 409800 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="-" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - mchInjDrv
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec AntiVirus
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - TPHDEXLGSVC
*Deregistered* - TpKmpSVC
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - vvdsvc
*Deregistered* - W32Time
*Deregistered* - WControl
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - winvnc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1340)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'Explorer.exe'(5724)
c:\windows\system32\PROCHLP.DLL
.
Completion time: 2009-05-22 21:49
ComboFix-quarantined-files.txt 2009-05-22 01:49
ComboFix2.txt 2009-05-20 00:22
ComboFix3.txt 2009-05-18 16:54
ComboFix4.txt 2009-05-17 22:31
ComboFix5.txt 2009-05-22 01:46
Pre-Run: 36,255,363,072 bytes free
Post-Run: 36,261,056,512 bytes free
185 --- E O F --- 2009-05-18 23:26

Thanks,
Swami.
  #16  
Old 21st May 2009, 21:11
Malware Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi there

Can you just clarify something for me, is Symantec AntiVirus running but windows reporting it as not, or is Symantec AntiVirus not running full stop?
__________________
Proud member of ASAP & UNITE
  #17  
Old 22nd May 2009, 04:22
Member Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi Steve,

I not sure. How can I tell if Symantec Antivirus is running or not? The Windows security center is reporting that my Antivirus is turned of.

This started happening after the Trojon attack, before it was not happening.

If I looks at the services window the following it shows me that the following services are running:

Symantec Antivirus
Symantec Antivirus Definition Watcher
Symantec Livestate Agent for Windows
Symantec Settings manager

There are other services that are not running though it says automatic and when I try and try to start them, it gives me some or other errors.

Symantec Events Manager
Symantec Network Drivers Service
Symantec SPBBCSvcs

Thanks,
Swami.
  #18  
Old 22nd May 2009, 09:32
Malware Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Howdy there

Lets try this

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code:
@ECHO OFF
net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixme.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixme.bat from the Desktop.

Let me know how things are now....
__________________
Proud member of ASAP & UNITE
  #19  
Old 25th May 2009, 08:01
Member Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi Steve,

Things are the same. I think I got some more virus attacks on my system. Now, I not able to run any antivirus software. When I try and click to run Malwarebytes or SuperAntispyware tools, nothing happens.

Can you please help.

Thanks,
Swami.
  #20  
Old 25th May 2009, 10:57
Malware Group
  
Default Infected by Trojon.Vundo.H. Not Able to Clean It.

Hi there

Delete the version of combofix that you have on your desktop

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.
__________________
Proud member of ASAP & UNITE
Reply
Page 2 of 3 1 2 3

Register

Bookmarks

Similar Threads
Thread Thread Starter Forum Replies Last Post
Friends Pc Infected - Vundo/Variant-RONads - Vundo/Variant-0216 and-309k redden137 Virus, Spyware & Security 3 28th Apr 2009 15:18
Virus/Worm/Trojon Killing Computer! MichaelCrichton12 Virus, Spyware & Security 16 29th Oct 2008 13:42
Trojon thought to be removed but..... rbscooby Virus, Spyware & Security 20 22nd Apr 2008 17:09
Ill clean this from now on as well redden137 General Hardware Chat 8 14th Feb 2008 03:32
Hopefully all clean.. proyal03 Virus, Spyware & Security 71 12th Feb 2008 13:11
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.