Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 20th, 2008, 1:16am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   possible vundo? Please help!		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: possible vundo? Please help!  (Read 1700 times)
bornagooner
Newbie
*





   


Posts: 19
possible vundo? Please help!
« on: Dec 9th, 2007, 5:46am »		 Quote Quote  Modify Modify
Hi,
 
Hope you don't mind me posting on this forum, but I've been trying all night to fix my computer with very little actual knowledge and im stumped.  
 
Ill try and explain.
 
My PC has been running progressively slower and slower, with repeated requests for more virtual memory, and periodic crashes. 'Virus scan on-Access' (software recommended by my university) quarantined 2 malicious files. It has attempted to clean them with no success, and they cannot be deleted as the program in use warning prevents it. The information it gives on these files is;
 
Name: XP08002D.RAR.VIR
In Folder: C:\Temp\quarantine\xp08002d.rar.vir  
Detected as: Vundo
Status: Moved (Clean Failed)
 
Name: _CACHE_002.VIR
In Folder: C:\Temp\Quarantine\_cache_002.vir
Detected as: JS/Generic Exploit.e
Status: Moved (Clean Failed)
 
Then, i used the windows live online PC scanner, which reported one major problem in h:\system volume information, which it could not clean or delete.  
 
Then, i used Trojan Hunter 5.0. Whilst this reported finding no problems, afterwards 4 more items were in the VirusScan On-Access quarantine, which are listed as;
 
Name: cv2J6tP.exe
In Folder: C:\Documents and Settings\Katz\local settings\temp
Detected as: Malformed Archive  
Status: Moved (clean failed as the file is not cleanable)
 
Name: cv2J6tP.exe.vir
In Folder: C:\temp\quarantine  
Detected as: Malformed Archive  
Status: Moved (clean failed as the file is not cleanable)
 
Name: ZeeHK.exe
In Folder: C:\Documents and Settings\Katz\local settings\temp
Detected as: Malformed Archive  
Status: Moved (clean failed as the file is not cleanable)
 
Name: ZeeHK.exe.vir
In Folder: C:\temp\quarantine
Detected as: Malformed Archive  
Status: Moved (clean failed as the file is not cleanable)
 
Ive tried using the symantic vundo fix, which reported finding no vundo virus.
 
However, shortly after this, a 'data execution prevention' warning popped up for Windows Explorer.  
 
Having seen what you have recommened to others, ive run hijackthis, which came up with -  
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:57, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
H:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Windows OneCare Live\Staging\dotnetfx.exe
C:\DOCUME~1\katz\LOCALS~1\Temp\IXP000.TMP\install.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\katz\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009. cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E60086C-CF84-4E2C-B38D-CD1DC61C7D04} : NameServer = 62.24.199.13,62.24.199.23
O23 - Service: dlcg_device -   - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
 
--
End of file - 8057 bytes
 
Any help anyone could give would be massively appreciated, my second year exams start next week and i really need the PC to be functioning (always happens all at once hey?!)
 
Thanks so much in advance,
 
Katie
 
p.s - im a bit of a computer retard, so please explain things as such!
IP Logged
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #1 on: Dec 9th, 2007, 6:44am »		 Quote Quote  Modify Modify
Just to update, i just tried to used vundofix 6.5.10, which reported finding no virus, and just crashed the PC.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #2 on: Dec 9th, 2007, 8:06am »		 Quote Quote  Modify Modify
Would you please post a new HiJackthis log because things may have changed during the Vundofix that you just ran.
 
After I see/evaluate your new HJT log, I'll have some recommendations.  Wink
« Last Edit: Dec 9th, 2007, 8:07am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #3 on: Dec 9th, 2007, 8:22am »		 Quote Quote  Modify Modify
Hi, Thank you so much for your quick reply. This is the new HJT scan.
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:09, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
H:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Windows OneCare Live\Staging\dotnetfx.exe
C:\DOCUME~1\katz\LOCALS~1\Temp\IXP000.TMP\install.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\katz\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009. cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E60086C-CF84-4E2C-B38D-CD1DC61C7D04} : NameServer = 62.24.199.13,62.24.199.23
O23 - Service: dlcg_device -   - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
 
--
End of file - 8057 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #4 on: Dec 9th, 2007, 8:23am »		 Quote Quote  Modify Modify
Here's a few things you can do while you are waiting for me to examine the new HJT log requested in my above post.
 
1.  Make all your files and folders visible.  The link below describes how.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Your Java applet is way out of date and is a security risk.  
C:\Program Files\Java\j2re1.4.2_03
 
-  Please update to the latest version.  The link below will get you to the update section.
 
htpp://www.java.com
 
-  After you get the new update installed, go into Control Panel>Add/Remove Programs and remove all the old versions of the Java Applet.  Unfortunately Java does not do this automatically.
 
3.  Download/Install freebie program CCleaner to clean out junk files from your system.  Just run the Cleaner component, not the registry cleaner component.  
 
http://www.ccleaner.com
 
(Note: This is a good program to run frequently to clean out temp files and other junk that accumulates on your system and is a potential for a security breach.)
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #5 on: Dec 9th, 2007, 8:24am »		 Quote Quote  Modify Modify
Thank you so much, ill get going with that now Smiley
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #6 on: Dec 9th, 2007, 8:43am »		 Quote Quote  Modify Modify
In examining your HJT log, nothing much is showing up.  No infections are being displayed.  HOWEVER, please do this:
 
1.  Run another HJT scan.
 
2.  Once the scan is completed, place a check mark in the box next to the following items.  BE SURE that these are the only items checked.
 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
 
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
For some reason you have two of these entries.  They are identical and you only need one.  So just checkmark one of the above.
 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
 
3.  Close all browser windows.
 
4.  Then click on Fix Checked at the lower left of the HJT window.  Confirm that you want these items fixed and let HJT fix them.
 
5.  Close the HJT window and reboot.  
 
6.  Once you are rebooted, run CCleaner to clean up junk files again.
 
7.  Then run a REMOTE Scan with Kaspersky Antivirus.  
 
-  BE SURE to deactivate your normal antivirus program prior to running this remote scan.  
 
-  Be sure to scan your entire computer.  The link below sends you to the Kaspersky remote scanner.
 
http://www.kaspersky.com/virusscanner
 
-  Kaspersky does not clean what it finds during the remote scan.  It just states that it found infections.  If it does not find anything, odds are you are clean.  
 
8.  Please post back here the Kaspersky scan log and a new HJT log.    
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #7 on: Dec 9th, 2007, 8:49am »		 Quote Quote  Modify Modify
Hi,
 
Ive run Ccleaner and made all files visible, bui ive had a weird problem with java. When i tried to install the latest version, i got this error message 'Error 1500. Another installation is in progress. You must complete that installation before continuing with this one' and then a second box with ' The installation of package http://java.sun.com/update/1.6.0/jre-6u3-windows-1596-jc-xpi failed with -203'
 
However, i have nothing else installing at all. I also got the same message as the first box when i tried to remove java. However, Ccleaner installed without problems and i deleted an old program which also removed without problems.
 
I have tried two or three times now but i keep getting the same message from java. should i be concerned?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #8 on: Dec 9th, 2007, 8:55am »		 Quote Quote  Modify Modify
For the time being, forget the Java part and proceed with my post above yours.
« Last Edit: Dec 9th, 2007, 9:00am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #9 on: Dec 9th, 2007, 9:12am »		 Quote Quote  Modify Modify
ive got up to disabling my anti-virus but all options to disable are locked. When i try and remove this lock is asks for a password  Huh im not sure if this is because its just a university copy, or if something more is wrong with it. should i attempt to delete it?
IP Logged
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #10 on: Dec 9th, 2007, 9:16am »		 Quote Quote  Modify Modify
and sorry to appear totally stupid, but is the remote scanner the online scanner or the one i need to download?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #11 on: Dec 9th, 2007, 9:22am »		 Quote Quote  Modify Modify
Do not attempt to delete it.  Try the Kaspersky remote scan with the other antivirus active.  It may or may not run into a conflict.  Let's try it and see.  
 
Quote:
and sorry to appear totally stupid, but is the remote scanner the online scanner or the one i need to download

 
Click on the hot button that says "Free- Kaspersky online scanner, Scan Now".  It will direct you to another page and [/b]accept[b] the conditions.  This will send you to another page where it will need to download/install an ActiveX component.  Let it download and install the ActiveX.  Then it will start downloading its long list of virus/spyware definitions.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #12 on: Dec 9th, 2007, 9:29am »		 Quote Quote  Modify Modify
Sorry to be a complete pain here. im not sure if this is the site or me, but when i click it, it goes to the terms and conditions page, then when i accept nothing happens, it just says 'done' at the bottom straight away.
 
Im really sorry about this, thank you so much for your patience!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5516
Re: possible vundo? Please help!
« Reply #13 on: Dec 9th, 2007, 9:39am »		 Quote Quote  Modify Modify
Please do this:
 
1.  Go to the Control Panel and open "Internet Options"
 
2.  Select the Security Tab
 
3.  Highlight the green checkmark  labelled "Trusted Sites"
 
4.  Click on the hot button labeled  "Sites"
 
5.  A new window will open.  
 
6.  In the box that is labeled.  "Add this website to the zone", type in exactly   http://*.kaspersky.com
 
7.  Click on the "Add" button to add this as a trusted site in this zone.
 
8.  Uncheck the box that says "Require server verification (httpsSmiley for all sites in this zone
 
9.  Click on "Close" and then "Ok" to close the windows.
 
10.  Close your browser and reopen it to try the Kaspersky site again.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
bornagooner
Newbie
*





   


Posts: 19
Re: possible vundo? Please help!
« Reply #14 on: Dec 9th, 2007, 9:43am »		 Quote Quote  Modify Modify
Thank you, your so patient!  
 
It was my fault, i was on mozilla. Worked fine when i loaded it in IE.
 
Will post results as soon as its finished. Smiley
IP Logged
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register