May
7
Vundo trojan
May 7, 2008 |
Hi!
I'm Neeraj & my computer also was infected but now it's free from viruses. I don't have that Hijackthis. I've run Vundofix. exe & combofix.exe. But I think after executing combofix.exe some files are missing and that's why some application is not running. Even I downloaded Java 6 but that's become some dos application icon is like dos programm and when I run that, it says that Programm is too big to fit in memory.
Here is the log file.
1. VundoFix
VundoFix V7.0.3
Scan started at 11:32:12 AM 07/05/2008
Listing files found while scanning....
C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\kjajntod.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\dotnjajk.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\efcrcwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjajntod.ini
C:\WINDOWS\system32\kjajntod.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V7.0.3
Scan started at 11:55:32 AM 07/05/2008
Listing files found while scanning....
No infected files were found.
2. ComboFix
ComboFix 08-05-01.3 - Administrator 2008-05-07 12:46:32.1 - NTFSx86
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\buqalktd.dll
C:\WINDOWS\system32\jwihvobv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OoYGNqss.ini
C:\WINDOWS\system32\OoYGNqss.ini2
C:\WINDOWS\system32\oswpiksn.ini
C:\WINDOWS\system32\ssqNGYoO.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 12:33 . 2008-05-07 12:33 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-05-07 11:32 . 2008-05-07 11:54 <DIR> d----c--- C:\VundoFix Backups
2008-05-07 08:52 . 2008-05-07 08:52 2,112 --a--c--- C:\WINDOWS\system32\qogntmcy.exe
2008-05-06 10:38 . 2008-05-07 00:10 <DIR> d----c--- C:\Program Files\Norton AntiVirus
2008-05-06 10:38 . 2008-05-06 10:38 4,608 --a--c--- C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-05-06 10:37 . 2008-05-06 10:54 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-06 10:37 . 2006-09-15 22:52 124,016 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-06 10:37 . 2006-09-15 22:52 91,904 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-06 10:36 . 2008-05-06 18:59 <DIR> d----c--- C:\Program Files\Symantec
2008-05-06 10:36 . 2008-05-07 09:58 <DIR> d----c--- C:\Program Files\Common Files\Symantec Shared
2008-05-06 10:35 . 2008-05-06 10:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 11:06 . 2005-08-06 16:12 519,944 --a--c--- C:\WINDOWS\LegitCheckControl.dll
2008-05-05 11:06 . 2006-05-13 14:18 435,464 --a--c--- C:\WINDOWS\legitlib.dll
2008-05-05 09:56 . 2008-05-05 10:04 <DIR> d----c--- C:\WINDOWS\SxsCaPendDel
2008-05-05 09:12 . 2008-05-05 09:12 51,355 --a--c--- C:\WINDOWS\system32\muzika.xm
2008-05-04 20:15 . 2005-06-21 16:43 163,840 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-05-04 17:04 . 2008-05-05 06:51 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 10:50 . 2008-05-07 08:52 109,803 --a--c--- C:\WINDOWS\BM7358b998.xml
2008-05-02 13:41 . 2008-05-02 13:41 <DIR> d----c--- C:\ner
2008-05-01 20:12 . 2008-05-01 20:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-05-01 19:46 . 2008-05-01 19:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Teleca
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:11 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-04 14:11 --------- dc----w C:\Program Files\CyberLink
2008-05-04 03:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-04 03:06 --------- dc----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-28 01:20 --------- dc----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-27 16:35 50,944 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-04 07:50 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-30 04:18 87,608 -c--a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-30 04:18 47,360 -c--a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.
------- Sigcheck -------
2004-08-04 06:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 06:44 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 12:03 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PCMService"="D:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2007-03-02 17:55 159744]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 01:47 58488]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-08-03 13:56 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRun"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= D:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvUoM]
xxyyvUoM.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\FlashGet\\flashget.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a9514c-cbd8-11dc-9cb4-b166290c1652}]
\Shell\Autoplay\Command - J:\smss.exe
\Shell\AutoRun\command - J:\smss.exe
\Shell\Explore\Command - J:\smss.exe
\Shell\Open\Command - J:\smss.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982cfd00-8444-11dc-b4da-86056f13b026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a750cf0-9c19-11dc-b4e0-cef0eb2f6d51}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 05:29:41 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:57:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-07 13:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 07:39:57
Pre-Run: 5,053,763,584 bytes free
Post-Run: 5,010,583,552 bytes free
162
Please help me. Should I repair the Window XP.
I'm Neeraj & my computer also was infected but now it's free from viruses. I don't have that Hijackthis. I've run Vundofix. exe & combofix.exe. But I think after executing combofix.exe some files are missing and that's why some application is not running. Even I downloaded Java 6 but that's become some dos application icon is like dos programm and when I run that, it says that Programm is too big to fit in memory.
Here is the log file.
1. VundoFix
VundoFix V7.0.3
Scan started at 11:32:12 AM 07/05/2008
Listing files found while scanning....
C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\kjajntod.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\dotnjajk.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\efcrcwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjajntod.ini
C:\WINDOWS\system32\kjajntod.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V7.0.3
Scan started at 11:55:32 AM 07/05/2008
Listing files found while scanning....
No infected files were found.
2. ComboFix
ComboFix 08-05-01.3 - Administrator 2008-05-07 12:46:32.1 - NTFSx86
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\buqalktd.dll
C:\WINDOWS\system32\jwihvobv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OoYGNqss.ini
C:\WINDOWS\system32\OoYGNqss.ini2
C:\WINDOWS\system32\oswpiksn.ini
C:\WINDOWS\system32\ssqNGYoO.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 12:33 . 2008-05-07 12:33 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-05-07 11:32 . 2008-05-07 11:54 <DIR> d----c--- C:\VundoFix Backups
2008-05-07 08:52 . 2008-05-07 08:52 2,112 --a--c--- C:\WINDOWS\system32\qogntmcy.exe
2008-05-06 10:38 . 2008-05-07 00:10 <DIR> d----c--- C:\Program Files\Norton AntiVirus
2008-05-06 10:38 . 2008-05-06 10:38 4,608 --a--c--- C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-05-06 10:37 . 2008-05-06 10:54 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-06 10:37 . 2006-09-15 22:52 124,016 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-06 10:37 . 2006-09-15 22:52 91,904 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-06 10:36 . 2008-05-06 18:59 <DIR> d----c--- C:\Program Files\Symantec
2008-05-06 10:36 . 2008-05-07 09:58 <DIR> d----c--- C:\Program Files\Common Files\Symantec Shared
2008-05-06 10:35 . 2008-05-06 10:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 11:06 . 2005-08-06 16:12 519,944 --a--c--- C:\WINDOWS\LegitCheckControl.dll
2008-05-05 11:06 . 2006-05-13 14:18 435,464 --a--c--- C:\WINDOWS\legitlib.dll
2008-05-05 09:56 . 2008-05-05 10:04 <DIR> d----c--- C:\WINDOWS\SxsCaPendDel
2008-05-05 09:12 . 2008-05-05 09:12 51,355 --a--c--- C:\WINDOWS\system32\muzika.xm
2008-05-04 20:15 . 2005-06-21 16:43 163,840 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-05-04 17:04 . 2008-05-05 06:51 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 10:50 . 2008-05-07 08:52 109,803 --a--c--- C:\WINDOWS\BM7358b998.xml
2008-05-02 13:41 . 2008-05-02 13:41 <DIR> d----c--- C:\ner
2008-05-01 20:12 . 2008-05-01 20:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-05-01 19:46 . 2008-05-01 19:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Teleca
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:11 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-04 14:11 --------- dc----w C:\Program Files\CyberLink
2008-05-04 03:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-04 03:06 --------- dc----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-28 01:20 --------- dc----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-27 16:35 50,944 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-04 07:50 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-30 04:18 87,608 -c--a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-30 04:18 47,360 -c--a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.
------- Sigcheck -------
2004-08-04 06:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 06:44 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 12:03 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PCMService"="D:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2007-03-02 17:55 159744]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 01:47 58488]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-08-03 13:56 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRun"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= D:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvUoM]
xxyyvUoM.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\FlashGet\\flashget.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a9514c-cbd8-11dc-9cb4-b166290c1652}]
\Shell\Autoplay\Command - J:\smss.exe
\Shell\AutoRun\command - J:\smss.exe
\Shell\Explore\Command - J:\smss.exe
\Shell\Open\Command - J:\smss.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982cfd00-8444-11dc-b4da-86056f13b026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a750cf0-9c19-11dc-b4e0-cef0eb2f6d51}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 05:29:41 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:57:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-07 13:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 07:39:57
Pre-Run: 5,053,763,584 bytes free
Post-Run: 5,010,583,552 bytes free
162
Please help me. Should I repair the Window XP.
Quote:
| Originally Posted by Rahina Rescue (Post 363796) Hello kingt36 ! Welcome to The Forums. My name is Rahina Rescue and I will be handling your log to help you get cleaned up. We'll Begin. Step #1 Please download VundoFix.exe to your desktop
Step #2 Download the latest version of Java Runtime Environment (JRE) 6 Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on the download to install the newest version. Step #3 Please download Combofix to your desktop.
In your next reply please post:
|
