The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Trojan infection

Posted 2/1/2009 5:39 PM
#71870
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
I downloaded file that infected my pc with a trojan files that ends up in my user appdata folder. I quarantine them and delete them with bullguards after i get the warning pop up from it. But after a hour or so a new trojan popup happens i have to do it again. ive done it like five or six times already anyone got a suggestion?
Posted 2/1/2009 6:05 PM
#71871
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:




Please post latest Bullguard log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/2/2009 3:46 PM
#71894
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
Thanks for the reply but i dont know wat u mean by the latest bullguard log. Do u mean all the file that were scanned and infected? If so cant get my computer to copy and paste from the log so ill post the infected files from the 'view files' on the results window.


C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CANUJIKO

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAU9BNE4

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAX77OL5

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAZU5E8N

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20[1]

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CABIWSIU

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAL944PL

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20[1]

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA7TDQAZ

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CAHOTBN5

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CASFUPTR

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20[1]

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA6SBPPQ

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAFMC0LW

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAHNT4QF

C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20[1]

C:\Users\Philip\AppData\Local\Temp\cbXOijJC.dll

C:\Users\Philip\AppData\Local\Temp\pmNFXNef.dll



this is not wat u need to help me . please tell me what to do
Posted 2/3/2009 5:09 AM
#71911
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s excactly what I need :smile:




It tell me that you have a vundo infection, I´ll therefore suggest you proceed as follows -




Download: CCleaner
[color=#0000ff>https://www.majorgeeks.com/download4191.html[/url]]https://www.ccleaner.com/[/color]

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data


Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok


Then click Run Cleaner (bottom right) then Exit

Reboot



Please download Malwarebytes' Anti-Malware:

[color=#0000ff>https://www.spywarefri.dk/downloads1/mbam-setup.exe[/url]



Or here:

https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/color]



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch




Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Please connect all your external hard drive/flash drive before running Malwarebyte



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.



Post Malwarebytes' Anti-Malware log





NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/6/2009 9:43 PM
#72078
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
Hey sorry for the late reply i appreciate the help .
Here the log



Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 84

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Philip\AppData\Local\Temp\byxXRIBq.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Philip\AppData\Local\Temp\byxXRIBq.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\nnnOEvtS.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5288I10U\divx20CAAA0AJO (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5288I10U\divx20[1] (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CA11O0WS (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CA3Y1QIF (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CA4ZOR0L (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAAXOSSP (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAD1W6JP (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAJHZ1C4 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAKWMV0W (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CANDWG7Y (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAOJTZCO (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAPWXQS1 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAQASEIU (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CATG8176 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAUTWJOT (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A699TG49\divx20CAVE4E1E (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KGIUBQN5\divx20CAI0BS7C (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KGIUBQN5\divx20[1] (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAXKV2FW (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAY78KQ4 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAYCFYHT (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAZD0RJH (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CA6T99OA (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CA7DKFX7 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CABK8JAY (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CABRI1AC (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CABV0OT7 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CACF54CZ (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAFXEBW0 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAJ3XXFT (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAKB1PO1 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAL505W7 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAO2EB48 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAR7RP9T (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAS5FQ2T (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2MCU4F1\divx20CAWB1QGD (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA1N1S12 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA2L7Y55 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA354KWS (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA3UBEK9 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA3ZDPQP (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA4HB5YU (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CA8E3A9P (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CAHBI3VY (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CAKLQZVE (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CANL54WA (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CAR3T15A (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CASUOO3M (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5TR7TC6\divx20CAXGQ2ZE (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAHYO6RM (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAKZTP05 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAPPWPXV (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CARUY93J (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CASYDMQ8 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CATEW0CM (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CATYN6AD (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAUKNU90 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAXITG4R (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA06MSLD (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA0EV5DK (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA2NZ30T (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA3EI5HQ (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CA911N09 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CADB54RP (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAMMWKQT\divx20CAFCGGG4 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SXBQPD5I\divx20CA2DE5CR (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SXBQPD5I\divx20[1] (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6RF8185\divx20CAQ2HL27 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6RF8185\divx20CARG8M2T (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6RF8185\divx20[1] (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\awtusrOE.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\cbXOfcaB.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\ljJBUmlL.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\mlJCRiJC.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\nnNdBtRh.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\nnnkJyVl.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\ssQHBRHY.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\ssqNhgfD.dll (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\tmp00008ab1 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\tmp000098b5 (Trojan.Vundo) -> No action taken.
C:\Users\Philip\AppData\Local\Temp\tuVPIBUK.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\wvUkHwwW.dll (Trojan.Vundo) -> No action taken.
Posted 2/7/2009 5:32 AM
#72083
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
No problem :smile:


Run Malwarebytes' Anti-Malware again, and have it to fix what it find.





Then ->




Please download Combofix:

https://download.bleepingcomputer.com/subs/combofix.exe



And save to the desktop.


Close all other browser windows. Deactivate/shutdown Bullguard.



Please connect all your external hard drive/flash drive before running Combofix, if you have any





Double-click on the combofix icon found on your desktop.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/9/2009 5:02 PM
#72222
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
ive ran combo fix and ive got the text file do you want me to post that too you?
Posted 2/10/2009 5:29 AM
#72277
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Yes, please post combofix log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/13/2009 10:12 AM
#72432
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
hey heres the log. Thanks for the help

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Philip\AppData\Roaming\.#
c:\users\Philip\AppData\Roaming\.#\MBX@1014@3A19E8.###
c:\users\Philip\AppData\Roaming\.#\MBX@1534@3519E8.###
c:\users\Philip\AppData\Roaming\.#\MBX@1748@6B119E8.###
c:\windows\Tasks\irccyvkx.job

.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-06 17:16 . 2009-02-06 17:16 d-------- c:\users\Philip\AppData\Roaming\Malwarebytes
2009-02-06 17:16 . 2009-02-06 17:16 d-------- c:\users\All Users\Malwarebytes
2009-02-06 17:16 . 2009-02-06 17:16 d-------- c:\programdata\Malwarebytes
2009-02-06 17:16 . 2009-02-06 21:39 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 17:16 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-06 17:16 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-06 17:13 . 2009-02-06 17:13 d-------- c:\users\Philip\AppData\Roaming\Memeo
2009-02-06 17:12 . 2009-02-06 17:12 d-------- c:\program files\Memeo
2009-02-06 17:12 . 2009-02-06 17:12 d-------- c:\program files\Common Files\eSellerate
2009-02-03 16:58 . 2009-02-03 16:58 d-------- c:\program files\CCleaner
2009-01-18 12:12 . 2009-01-18 12:12 56 --ah----- c:\users\All Users\ezsidmv.dat
2009-01-18 12:12 . 2009-01-18 12:12 56 --ah----- c:\programdata\ezsidmv.dat
2009-01-18 12:03 . 2009-02-09 16:20 d-------- c:\users\Philip\AppData\Roaming\Skype
2009-01-18 12:03 . 2009-01-18 12:03 d-------- c:\users\All Users\Skype
2009-01-18 12:03 . 2009-01-18 12:03 d-------- c:\programdata\Skype
2009-01-18 12:03 . 2009-01-18 12:03 d-------- c:\program files\Skype
2009-01-18 12:03 . 2009-01-18 12:03 d-------- c:\program files\Common Files\Skype
2009-01-14 09:17 . 2008-12-16 02:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-12 17:10 . 2009-01-12 17:10 d-------- c:\program files\Deep Silver
2009-01-11 16:24 . 2009-01-11 16:26 d-------- c:\users\Philip\AppData\Roaming\Mount&Blade
2009-01-11 16:22 . 2009-01-11 16:29 d-------- c:\program files\Mount&Blade
2009-01-11 13:21 . 2009-01-11 13:21 d-------- c:\users\All Users\GRAW2
2009-01-11 13:21 . 2009-01-11 13:21 d-------- c:\programdata\GRAW2
2009-01-09 18:04 . 2005-06-24 16:24 438,272 -ra------ c:\windows\System32\vp6vfw.dll
2009-01-09 18:04 . 2004-12-10 09:06 327,680 --a------ c:\windows\System32\vp6dec.ax

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-02-08 20:00 --------- d-----w c:\programdata\Microsoft Help
2009-01-15 08:18 --------- d-----w c:\program files\Windows Mail
2009-01-11 13:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 18:47 --------- d-----w c:\users\Philip\AppData\Roaming\BullGuard
2009-01-10 15:43 --------- d-----w c:\programdata\Media Center Programs
2009-01-03 18:51 --------- d-----w c:\users\Philip\AppData\Roaming\Apple Computer
2009-01-03 18:50 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-03 18:50 --------- d-----w c:\program files\iTunes
2009-01-03 18:49 --------- d-----w c:\programdata\Apple Computer
2009-01-03 18:49 --------- d-----w c:\program files\iPod
2009-01-03 18:49 --------- d-----w c:\program files\Common Files\Apple
2009-01-03 18:47 --------- d-----w c:\program files\QuickTime
2009-01-03 18:47 --------- d-----w c:\program files\Bonjour
2009-01-03 18:45 --------- d-----w c:\program files\Apple Software Update
2009-01-03 18:43 --------- d-----w c:\programdata\Apple
2009-01-01 13:59 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-12-19 15:54 --------- d-----w c:\users\Philip\AppData\Roaming\TuneUp Software
2008-12-19 15:54 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-12-19 15:53 --------- d-----w c:\programdata\TuneUp Software
2008-12-19 13:46 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-19 12:26 --------- d-----w c:\programdata\Trymedia
2008-12-16 19:29 --------- d-----w c:\users\Philip\AppData\Roaming\dvdcss
2008-12-16 19:29 --------- d-----w c:\programdata\CyberLink
2008-12-15 18:18 --------- d-----w c:\programdata\WindowsSearch
2008-10-16 13:10 0 ----a-w c:\users\Philip\AppData\Roaming\wklnhst.dat
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-10-27 20:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-27 20:05 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-27 20:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"BullGuard"="c:\program files\BullGuard Software\BullGuard\BullGuard.exe" [2008-10-16 308552]"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-11-01 16384]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"BullGuard"="c:\program files\BullGuard Software\BullGuard\bullguard.exe" [2008-10-16 308552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-16 220160]
"toolbar_eula_launcher"="c:\program files\GoogleEULA\EULALauncher.exe" [2007-02-09 16896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Memeo Share"="c:\program files\Memeo\Memeo Share\MemeoLauncher.exe" [2008-11-10 144656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-07 c:\windows\RtHDVCpl.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"TVEService"="c:\program files\HomeCinema\TV Enhance\TVEService.exe"
"Skytel"=Skytel.exe
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2CB96C65-7EF8-4698-BCCD-E248204492DA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E134A9B1-1745-430C-B17D-EB1028683BC7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
R1 appdrv01;Application Driver (01);c:\windows\System32\drivers\appdrv01.sys [2008-10-31 2911848]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [2008-06-26 50896]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [2008-01-21 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [2008-01-21 21504]
R2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2008-06-26 360538]
R2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2008-06-26 131160]
R3 3xHybrid;Philips SAA713x PCI Card;c:\windows\System32\drivers\3xHybrid.sys [2008-06-04 1302368]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr28u.sys [2008-06-04 569344]
R3 Reconn;BullGuard Email Monitor;c:\program files\BullGuard Software\BullGuard\Reconn.sys [2007-05-16 16984]
R3 X10Hid;X10 Hid Device;c:\windows\System32\drivers\x10hid.sys [2008-06-04 13976]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 09:59]

2009-02-08 c:\windows\Tasks\User_Feed_Synchronization-{6F1E8D8A-41C9-43FA-84EC-09CBAC3FEF3B}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wikipedia.org/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-02-09 16:20:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-09 16:22:43
ComboFix-quarantined-files.txt 2009-02-09 16:22:41

Pre-Run: 85,875,064,832 bytes free
Post-Run: 85,887,983,616 bytes free

257 --- E O F --- 2009-02-03 16:37:36
Posted 2/13/2009 10:16 AM
#72433
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It looks clean. How are things running ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/14/2009 7:00 PM
#72491
User avatar

killphill Valued member

Date Joined Nov 2016
Total Posts: 12
Things seem fine, im not getting anymore pop ups or anything. Thanks for the help
Posted 2/16/2009 1:36 PM
#72501
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
My pleasure :smile:





Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.







Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.



I also suggest you read Tony Klein´s article :

So how did I get infected in the first place.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, July 2, 2022, 1:10 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
49 Guest(s), 0 Registered Member(s) are currently online.