Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Trojan.vundo is holding my computer hostage. Please help!!!!
   
BullGuard Antivirus Forum > Virus > Virus Questions > Trojan.vundo is holding my computer hostage. Please help!!!!  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Trojan.vundo is holding my computer hostage. Please help!!!!
[ << Previous Thread | Next Thread >> ]

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-4-2007 6:40 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
My computer is infected with trojan vundo and none of the removal tools are working.   *sigh*  I did a hijack this and here is the log.  Can anyone help????  I would be forever grateful!  
 
Logfile of HijackThis v1.99.1
Scan saved at 9:36:03 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\Owner\Application Data\tmp10.tmp.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - C:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: (no name) - {64badabb-4464-451e-846d-5448ecda3859} - C:\WINDOWS\system32\imjbrd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp7A.tmp.dll
O2 - BHO: (no name) - {E4283631-646D-48C3-BAC2-70E28BBC77D0} - (no file)
O2 - BHO: adssite - {F31B3634-12AA-41ca-B021-0685C3B3E4CA} - C:\WINDOWS\system32\nsd208.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\mndsrngm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Turbo Pizza\Images\armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddabbxx.dll
O20 - Winlogon Notify: °À - °À (file missing)
O20 - Winlogon Notify: imjbrd - C:\WINDOWS\SYSTEM32\imjbrd.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Owner\Application Data\tmp10.tmp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VPN Client (ICService) - Unknown owner - C:\Program Files\VPN\VPN Client\icsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-4-2007 9:28 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Hello smile
 
 
Click here - ->>  Before posting a log 
 
 
 After You have run the scan tools -
 
Reboot normally
 
Post Hijackthis log along with AVG Anti-Spyware log, C: Rootlog TXT, C: combofix txt in this topic
 
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-5-2007 5:24 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Thanks so much for helping me o ut.    I think I did everything I was supposed to. Here's my logs.



ComboFix 07-08-30.3 - "Owner" 2007-09-04 20:18:15.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.123 [GMT -7:00]

(((((((((((((((((((((((((   Files Created from 2007-08-05 to 2007-09-05  )))))))))))))))))))))))))))))))

2007-09-04 19:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-03 22:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-03 21:48 <DIR> d-------- C:\Program Files\CCleaner
2007-08-06 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-08-05 13:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Sandlot Games
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
2007-09-01 19:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-01 00:19 55592 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-08-14 21:17 --------- d-------- C:\Program Files\iPod
2007-08-13 22:38 --------- d-------- C:\Program Files\iTunes
2007-08-06 00:08 --------- d-------- C:\Program Files\Enigma Software Group
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 07:39 33511 --a------ C:\WINDOWS\system32\ninjaext-uninstall.exe
2007-07-24 19:47 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-07-24 02:04 --------- d-------- C:\Program Files\Google
2007-07-23 21:28 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SpinTop
2007-07-23 20:02 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-23 20:02 --------- d-------- C:\Program Files\Real
2007-07-23 20:02 --------- d-------- C:\Program Files\Common Files\Real
2007-07-23 07:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
2007-07-23 06:54 39884 --a------ C:\WINDOWS\system32\gzmrot-uninst.exe
2007-07-22 21:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-19 21:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-07-17 20:00 --------- d-------- C:\Program Files\QuickTime
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-07-10 00:40 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-10 00:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36A91CEC-6C71-4758-B492-397BFC8E96A2}]
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64badabb-4464-451e-846d-5448ecda3859}]
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4283631-646D-48C3-BAC2-70E28BBC77D0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-02-16 14:55:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\°À]
°À
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imjbrd]
imjbrd.dll 2007-07-23 06:57 38232 C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddabbxx.dll
[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys
R1 ICsrvr;VPN Client Protocol;C:\WINDOWS\system32\DRIVERS\ICsrvr.sys
R1 ICtdi;VPN Client TDI Driver;C:\WINDOWS\system32\DRIVERS\ictdi.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R3 ICvnic;VPN Client Virtual Adapter;C:\WINDOWS\system32\DRIVERS\ICvnic.sys
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS
S2 ICService;VPN Client;C:\Program Files\VPN\VPN Client\icsrv.exe
S3 CCCP106;D-Link CIF Webcam;C:\WINDOWS\system32\DRIVERS\cccp106.sys
S3 ed3d0121-a0b8-4cb9-8f10-e00414d97307;ed3d0121-a0b8-4cb9-8f10-e00414d97307;\??\D:\CDS300\cds300.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Install.exe

Contents of the 'Scheduled Tasks' folder
2007-09-04 05:28:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-05 03:10:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-04 20:23:04
C:\ComboFix-quarantined-files.txt ... 2007-09-04 20:23
C:\ComboFix2.txt ... 2007-09-04 20:11
 --- E O F ---

ComboFix 07-08-30.3 - "Owner" 2007-09-04 20:18:15.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.123 [GMT -7:00]

(((((((((((((((((((((((((   Files Created from 2007-08-05 to 2007-09-05  )))))))))))))))))))))))))))))))

2007-09-04 19:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-03 22:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-03 21:48 <DIR> d-------- C:\Program Files\CCleaner
2007-08-06 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-08-05 13:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Sandlot Games
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
2007-09-01 19:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-01 00:19 55592 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-08-14 21:17 --------- d-------- C:\Program Files\iPod
2007-08-13 22:38 --------- d-------- C:\Program Files\iTunes
2007-08-06 00:08 --------- d-------- C:\Program Files\Enigma Software Group
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 07:39 33511 --a------ C:\WINDOWS\system32\ninjaext-uninstall.exe
2007-07-24 19:47 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-07-24 02:04 --------- d-------- C:\Program Files\Google
2007-07-23 21:28 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SpinTop
2007-07-23 20:02 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-23 20:02 --------- d-------- C:\Program Files\Real
2007-07-23 20:02 --------- d-------- C:\Program Files\Common Files\Real
2007-07-23 07:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
2007-07-23 06:54 39884 --a------ C:\WINDOWS\system32\gzmrot-uninst.exe
2007-07-22 21:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-19 21:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-07-17 20:00 --------- d-------- C:\Program Files\QuickTime
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-07-10 00:40 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-10 00:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36A91CEC-6C71-4758-B492-397BFC8E96A2}]
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64badabb-4464-451e-846d-5448ecda3859}]
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4283631-646D-48C3-BAC2-70E28BBC77D0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-02-16 14:55:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\°À]
°À
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imjbrd]
imjbrd.dll 2007-07-23 06:57 38232 C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddabbxx.dll
[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys
R1 ICsrvr;VPN Client Protocol;C:\WINDOWS\system32\DRIVERS\ICsrvr.sys
R1 ICtdi;VPN Client TDI Driver;C:\WINDOWS\system32\DRIVERS\ictdi.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R3 ICvnic;VPN Client Virtual Adapter;C:\WINDOWS\system32\DRIVERS\ICvnic.sys
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS
S2 ICService;VPN Client;C:\Program Files\VPN\VPN Client\icsrv.exe
S3 CCCP106;D-Link CIF Webcam;C:\WINDOWS\system32\DRIVERS\cccp106.sys
S3 ed3d0121-a0b8-4cb9-8f10-e00414d97307;ed3d0121-a0b8-4cb9-8f10-e00414d97307;\??\D:\CDS300\cds300.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Install.exe

Contents of the 'Scheduled Tasks' folder
2007-09-04 05:28:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-05 03:10:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-04 20:23:04
C:\ComboFix-quarantined-files.txt ... 2007-09-04 20:23
C:\ComboFix2.txt ... 2007-09-04 20:11
 --- E O F ---



********************************* ROOTCHK-(22-08-07)-LOG, by ejvindh
Tue 09/04/2007 20:15:41.73
The rootkits that are detected by this tool were not found.
********************************* ROOTCHK-LOG-end

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:15:42
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
hidden processes: 0
hidden files: 0






ComboFix 07-08-30.3 - "Owner" 2007-09-04 19:59:30.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.119 [GMT -7:00]
 * Created a new restore point

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp107.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp109.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp113.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp115.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp139.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp161.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp167.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp174.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1E0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1E7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2A8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2AF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2CD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2D4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp311.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp315.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp347.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp34F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3AE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3D5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3E4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3FA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp42A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp476.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp498.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4AE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4B4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4C0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4EB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4F0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp500.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp543.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp555.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5DB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5FD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp60F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp637.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp66F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp73.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp75.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7B0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp84.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp86.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp94.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpE0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF1.tmp.exe
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\ta_start.lnk
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nsd208.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp109.tmp.dll
C:\WINDOWS\system32\tmp115.tmp.dll
C:\WINDOWS\system32\tmp122.tmp.dll
C:\WINDOWS\system32\tmp13E.tmp.dll
C:\WINDOWS\system32\tmp167.tmp.dll
C:\WINDOWS\system32\tmp174.tmp.dll
C:\WINDOWS\system32\tmp1AF.tmp.dll
C:\WINDOWS\system32\tmp1E7.tmp.dll
C:\WINDOWS\system32\tmp2AF.tmp.dll
C:\WINDOWS\system32\tmp2D4.tmp.dll
C:\WINDOWS\system32\tmp315.tmp.dll
C:\WINDOWS\system32\tmp34F.tmp.dll
C:\WINDOWS\system32\tmp3B3.tmp.dll
C:\WINDOWS\system32\tmp3D9.tmp.dll
C:\WINDOWS\system32\tmp3E7.tmp.dll
C:\WINDOWS\system32\tmp3FF.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp432.tmp.dll
C:\WINDOWS\system32\tmp47E.tmp.dll
C:\WINDOWS\system32\tmp49A.tmp.dll
C:\WINDOWS\system32\tmp4B0.tmp.dll
C:\WINDOWS\system32\tmp4BB.tmp.dll
C:\WINDOWS\system32\tmp4C1.tmp.dll
C:\WINDOWS\system32\tmp4EC.tmp.dll
C:\WINDOWS\system32\tmp4EE.tmp.dll
C:\WINDOWS\system32\tmp4F4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp503.tmp.dll
C:\WINDOWS\system32\tmp545.tmp.dll
C:\WINDOWS\system32\tmp557.tmp.dll
C:\WINDOWS\system32\tmp5DE.tmp.dll
C:\WINDOWS\system32\tmp5FF.tmp.dll
C:\WINDOWS\system32\tmp612.tmp.dll
C:\WINDOWS\system32\tmp63A.tmp.dll
C:\WINDOWS\system32\tmp671.tmp.dll
C:\WINDOWS\system32\tmp75.tmp.dll
C:\WINDOWS\system32\tmp7A.tmp.dll
C:\WINDOWS\system32\tmp7B2.tmp.dll
C:\WINDOWS\system32\tmp96.tmp.dll
C:\WINDOWS\system32\tmp9E.tmp.dll
C:\WINDOWS\system32\tmpA4.tmp.dll
C:\WINDOWS\system32\tmpAF.tmp.dll
C:\WINDOWS\system32\tmpB1.tmp.dll
C:\WINDOWS\system32\tmpB4.tmp.dll
C:\WINDOWS\system32\tmpE0.tmp.dll
C:\WINDOWS\system32\tmpF.tmp.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\zxdnt3d.cfg

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\xpdx

(((((((((((((((((((((((((   Files Created from 2007-08-05 to 2007-09-05  )))))))))))))))))))))))))))))))

2007-09-04 19:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-03 22:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-03 21:48 <DIR> d-------- C:\Program Files\CCleaner
2007-08-06 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-08-05 13:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-09-03 22:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Sandlot Games
2007-09-03 22:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
2007-09-01 19:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-01 00:19 55592 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-08-14 21:17 --------- d-------- C:\Program Files\iPod
2007-08-13 22:38 --------- d-------- C:\Program Files\iTunes
2007-08-06 00:08 --------- d-------- C:\Program Files\Enigma Software Group
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 07:39 33511 --a------ C:\WINDOWS\system32\ninjaext-uninstall.exe
2007-07-24 19:47 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-07-24 02:04 --------- d-------- C:\Program Files\Google
2007-07-23 21:28 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SpinTop
2007-07-23 20:02 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-23 20:02 --------- d-------- C:\Program Files\Real
2007-07-23 20:02 --------- d-------- C:\Program Files\Common Files\Real
2007-07-23 07:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
2007-07-23 06:54 39884 --a------ C:\WINDOWS\system32\gzmrot-uninst.exe
2007-07-22 21:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-19 21:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-07-17 20:00 --------- d-------- C:\Program Files\QuickTime
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-07-10 00:40 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-10 00:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36A91CEC-6C71-4758-B492-397BFC8E96A2}]
2007-07-13 07:46 61440 --a------ C:\WINDOWS\system32\gzmrotate.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64badabb-4464-451e-846d-5448ecda3859}]
2007-07-23 06:57 38232 --------- C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4283631-646D-48C3-BAC2-70E28BBC77D0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-02-16 14:55:37]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\°À]
°À
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imjbrd]
imjbrd.dll 2007-07-23 06:57 38232 C:\WINDOWS\system32\imjbrd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddabbxx.dll
[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys
R1 ICsrvr;VPN Client Protocol;C:\WINDOWS\system32\DRIVERS\ICsrvr.sys
R1 ICtdi;VPN Client TDI Driver;C:\WINDOWS\system32\DRIVERS\ictdi.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R3 ICvnic;VPN Client Virtual Adapter;C:\WINDOWS\system32\DRIVERS\ICvnic.sys
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS
S2 ICService;VPN Client;C:\Program Files\VPN\VPN Client\icsrv.exe
S3 CCCP106;D-Link CIF Webcam;C:\WINDOWS\system32\DRIVERS\cccp106.sys
S3 ed3d0121-a0b8-4cb9-8f10-e00414d97307;ed3d0121-a0b8-4cb9-8f10-e00414d97307;\??\D:\CDS300\cds300.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Install.exe

Contents of the 'Scheduled Tasks' folder
2007-09-04 05:28:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-05 03:10:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:07:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-04 20:11:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 20:11
 --- E O F ---
Back to Top
 

epibone
New Member


Date Joined Sep 2007
Total Posts : 2
  		   Posted 9-5-2007 8:02 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 3:52:04 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\rundll32.exe
D:\Documents and Settings\epibone\Desktop\FixVundo.exe
D:\Documents and Settings\epibone\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "D:\WINDOWS\system32\vwactmxk.dll",sitypnow
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BlazeServoTool] "D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [Dhbt] "D:\WINDOWS\system32\SSEMBL~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?562ce494bada41dcb649c18c3c6e20d6
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?562ce494bada41dcb649c18c3c6e20d6
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\WINDOWS\system32\amslv1.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\WINDOWS\system32\amslv1.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\WINDOWS\system32\amslv1.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180210474575
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180210561590
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

Please help...Thank you!!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-5-2007 9:54 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Please download Free  Version of Superantispyware
http://www.superantispyware.com/superantispywarefreevspro.html
 
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
 
 
 
 
Start Superantispyware.
Hit - Scan Your Computer - button
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,
it will scan now. When scan have finished, put a checkmark with  all items it found. Next, after cleaning, allow it to Reboot
 
 
 
Start Superantispyware again –
Click Preferences and then click the statistics/logs tab.
Click the dated log and press view log and a text file will appear.
 
 
 
Post this log along with fresh hijackthis log, and tell how things are running  ?
 
 
 
 
 
 
 
 
 
 
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-6-2007 5:17 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Thanks again. I did what you said.   I accidentally did 2 scans through the spyware so I am going to post both logs.    I then redid hijack and that will be at the bottom.   I already notice that my computer is working much faster however my norton antivirus is still detecting the trojan.vundo  ( here is the file it is in..  File:  C:\WINDOWS\system32\imjbrd.dll).     
 
 FIRST SCAN WITH SPYWARE
 
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/05/2007 at 07:57 AM
Application Version : 3.9.1008
Core Rules Database Version : 3300
Trace Rules Database Version: 1306
Scan type       : Complete Scan
Total Scan Time : 00:35:03
Memory items scanned      : 462
Memory threats detected   : 1
Registry items scanned    : 5073
Registry threats detected : 17
File items scanned        : 28552
File threats detected     : 42
Adware.AdRotator/RightOnz
 C:\WINDOWS\SYSTEM32\GZMROTATE.DLL
 C:\WINDOWS\SYSTEM32\GZMROTATE.DLL
 HKLM\Software\Classes\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\InprocServer32
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\InprocServer32#ThreadingModel
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\ProgID
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\Programmable
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\TypeLib
 HKCR\CLSID\{36A91CEC-6C71-4758-B492-397BFC8E96A2}\VersionIndependentProgID
 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A91CEC-6C71-4758-B492-397BFC8E96A2}
Adware.Tracking Cookie
 C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@rotator.its.adjuggler[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@roiservice[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@www.clicksmart[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@2.go.globaladsales[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@1070359748[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@indextools[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@linksynergy[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@www.entrepreneur[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt
 C:\Documents and Settings\Owner\Cookies\owner@ads.joinaxxess[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@1072339218[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[1].txt
 C:\Documents and Settings\Owner\Cookies\owner@stats.sellmosoft[1].txt
Registry Cleaner Trial
 HKCR\Install.Install
 HKCR\Install.Install\CLSID
 HKCR\Install.Install\CurVer
 HKCR\Install.Install.1
 HKCR\Install.Install.1\CLSID
Adware.AdStart
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run#adstart [ C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify ]
Unclassified.SpywareBot (Not A Threat)
 HKU\S-1-5-21-2000478354-1757981266-725345543-1003\Software\SpywareBot
SECOND SCAN WITH ANTISPYWARE
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/05/2007 at 08:00 PM
Application Version : 3.9.1008
Core Rules Database Version : 3300
Trace Rules Database Version: 1306
Scan type       : Complete Scan
Total Scan Time : 00:30:12
Memory items scanned      : 440
Memory threats detected   : 0
Registry items scanned    : 5073
Registry threats detected : 0
File items scanned        : 28592
File threats detected     : 6
Adware.Tracking Cookie
 C:\Documents and Settings\Owner\Cookies\owner@indextools[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
 C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Adware.AdRotator/RightOnz
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{F9373D15-5DF9-4969-BB47-EBE7ACBCEDF8}\RP32\A0009492.DLL
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{F9373D15-5DF9-4969-BB47-EBE7ACBCEDF8}\RP32\A0010492.DLL
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{F9373D15-5DF9-4969-BB47-EBE7ACBCEDF8}\RP32\A0011492.DLL
NEW HIJACK LOG
Logfile of HijackThis v1.99.1
Scan saved at 8:13:44 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64badabb-4464-451e-846d-5448ecda3859} - C:\WINDOWS\system32\imjbrd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E4283631-646D-48C3-BAC2-70E28BBC77D0} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Turbo Pizza\Images\armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddabbxx.dll
O20 - Winlogon Notify: °À - °À (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: imjbrd - C:\WINDOWS\SYSTEM32\imjbrd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VPN Client (ICService) - Unknown owner - C:\Program Files\VPN\VPN Client\icsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
 
 
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-6-2007 9:14 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Please download:
 http://swandog46.geekstogo.com/avenger.zip
 
by Swandog46 to your Desktop.
You must extract avenger. zip to your desktop, before you run it.

Start up Avenger exe.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:
 
 
Files to delete:
c:\windows\system32\ddabbxx.dll
C:\WINDOWS\SYSTEM32\imjbrd.dll
 
 
Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

 After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
 
Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-6-2007 4:48 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Thanks again for your help.  Here is what you asked me to do. 
Avenger log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dqaydkqc
*******************
Script file located at: \??\C:\abtnlnpf.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:


File c:\windows\system32\ddabbxx.dll not found!
Deletion of file c:\windows\system32\ddabbxx.dll failed!
Could not process line:
c:\windows\system32\ddabbxx.dll
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\imjbrd.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished!  Terminate.


New Hijack Log


Logfile of HijackThis v1.99.1
Scan saved at 7:50:49 AM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64badabb-4464-451e-846d-5448ecda3859} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E4283631-646D-48C3-BAC2-70E28BBC77D0} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Turbo Pizza\Images\armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: °À - °À (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: imjbrd - imjbrd.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VPN Client (ICService) - Unknown owner - C:\Program Files\VPN\VPN Client\icsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-6-2007 5:40 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Looks like We have improvement here smile


Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
O2 - BHO: (no name) - {64badabb-4464-451e-846d-5448ecda3859} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\imjbrd.dll (file missing)
O20 - Winlogon Notify: °À[1] - °À[1] (file missing
O20 - Winlogon Notify: imjbrd - imjbrd.dll (file missing)
 
Reboot and tell how things are running ?

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-7-2007 4:06 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Hi there... thanks again.   I did what you asked.    I have attached the final hijack log below.  I did notice that this morning there was a notification from my antivirus that it was in a system restore folder but since reboot I don't see any notification.   Does this mean it could restore going forward?    


Logfile of HijackThis v1.99.1
Scan saved at 7:04:54 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\Program Files\MSN Messenger\usnsvc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E4283631-646D-48C3-BAC2-70E28BBC77D0} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Turbo Pizza\Images\armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VPN Client (ICService) - Unknown owner - C:\Program Files\VPN\VPN Client\icsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-7-2007 4:39 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore
 
 
It should stop warnings from Your antivirus
 
 
Now that You are clean:
 
Here are some additional software you may wish to consider using, to prevent malicious software installing in your PC  - >

 
IE Spyad IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
Freeware
 
Spyware Guard  Background process to check applications as they begin to run for known spyware and malicious code, produces an alert if necessary.  
Freeware.

SpywareBlaster  This is not a scanner, it blocks malicious objects and code from being downloaded, in addition to blocking access to sites known to download malware. Spyware Blaster runs silently in the background and does not need to be open to protect your PC.  
Freeware
 
Boclean  BOClean is designed to run quietly without intrusion if no malware "attack" exists and will scan through any suspicious files with signature analysis to preclude false alarms or possible damage to valid configurations.
Think of your antivirus as a burglar alarm. BOClean is a motion detector.
Freeware
 
Make sure to keep these programs up-to-date
 
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

thebuz
New Member


Date Joined Sep 2007
Total Posts : 6
  		   Posted 9-7-2007 5:12 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Hi again.   I just did the restore thing and reran my virus scan and everything seems awesome.  I want to thank you so much for all of your help!!!!!   I am forever indebted!!!!  hop    <-----   this is how excited I am!  yeah
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 18005
  		   Posted 9-7-2007 5:55 (GMT +2)    Quote: Trojan.vundo is holding my computer hostage. Please help!!!!Alert an admin about: Trojan.vundo is holding my computer hostage. Please help!!!!
Wauw - that´s  excited tongue
 
 
I was glad to help.
 
 
Now that your problem appears to be resolved, this thread will be closed
 to prevent others with similar issues posting in it.
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 
New Topic Locked Topic Printable version of : Trojan.vundo is holding my computer hostage. Please help!!!!
 
Forum Information
Currently it is Tuesday, May 22, 2012 12:06 AM (GMT +2)
There are a total of 82.921 posts in 18.688 threads.
In the last 3 days there were 2 new threads and 3 reply posts. View Active Threads
Who's Online
This forum has 33970 registered members. Please welcome our newest member, JohnKWagner.
27 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
BullGuard Support Hijacked :) (0)21-05-2012 19:36:34 (Andreea-Luciana Ostache)
Empty tmp folders (14)21-05-2012 19:31:13 (Andreea-Luciana Ostache)
Bogus BullGuard Websites (0)21-05-2012 14:37:08 (Robert Mateescu)
Multiple Virus Issues (7)19-05-2012 15:44:59 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard Internet Security