trojan on my computer

View previous topic View next topic Go down

trojan on my computer

Post by avak101 on Tue Mar 10, 2009 12:40 am

My computer started running really slow lately so I ran maleware bytes and it showed up a lot of defective stuff but im not sure:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:54 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\XPHOME\System32\smss.exe
C:\XPHOME\system32\winlogon.exe
C:\XPHOME\system32\services.exe
C:\XPHOME\system32\lsass.exe
C:\XPHOME\system32\svchost.exe
C:\XPHOME\System32\svchost.exe
C:\XPHOME\system32\ZoneLabs\vsmon.exe
C:\XPHOME\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\XPHOME\System32\oodag.exe
C:\XPHOME\system32\svchost.exe
C:\XPHOME\system32\WgaTray.exe
C:\XPHOME\system32\wscntfy.exe
C:\XPHOME\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\XPHOME\System32\LVCOMSX.EXE
C:\XPHOME\System32\oodtray.exe
C:\XPHOME\BCMSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\XPHOME\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MAHVEER\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\XPHOME\System32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\XPHOME\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB003" /M "Stylus CX6400"
O4 - HKLM\..\Run: [LVCOMSX] C:\XPHOME\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [OODefragTray] C:\XPHOME\System32\oodtray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\XPHOME\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\MAHVEER\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-19\..\Run: [popawawewi] Rundll32.exe "C:\XPHOME\system32\rameleko.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [popawawewi] Rundll32.exe "C:\XPHOME\system32\sedaloli.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{649A34FC-784A-4030-8DB5-8C94BCEE44EA}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: yfaesn.dll C:\XPHOME\system32\tizutere.dll yxakkn.dll
O20 - Winlogon Notify: byXQHwVO - byXQHwVO.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\XPHOME\System32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\XPHOME\system32\ZoneLabs\vsmon.exe

--
End of file - 7908 bytes


Malwarebytes' Anti-Malware 1.33
Database version: 1695
Windows 5.1.2600 Service Pack 2

3/9/2007 8:23:28 PM
mbam-log-2007-03-09 (20-23-28).txt

Scan type: Quick Scan
Objects scanned: 82599
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 10
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\XPHOME\system32\nividoko.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\popoloma.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\sedaloli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\zebimosi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\yxakkn.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2db79ef6-dcaf-4b2a-a3dd-8dc951352d18} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2db79ef6-dcaf-4b2a-a3dd-8dc951352d18} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6442ac5-cb84-424f-b38b-53c0103562a0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6442ac5-cb84-424f-b38b-53c0103562a0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6442ac5-cb84-424f-b38b-53c0103562a0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2db79ef6-dcaf-4b2a-a3dd-8dc951352d18} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\popawawewi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmb3752792 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\xphome\system32\nividoko.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nividoko.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users.XPHOME\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.XPHOME\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\XPHOME\system32\yxakkn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\sedaloli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\nividoko.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\popoloma.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\zebimosi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\XPHOME\system32\tizutere.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\MAHVEER\Local Settings\Temporary Internet Files\Content.IE5\2AYW1VKA\cntr[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\MAHVEER\Local Settings\Temporary Internet Files\Content.IE5\2SOALLYX\d[2].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\MAHVEER\Local Settings\Temporary Internet Files\Content.IE5\CLNKRGBW\virusremover2009_setup_free_rezer_en[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

avak101
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-31
OS OS : windows xp
Points Points : 28963
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan on my computer

Post by Belahzur on Tue Mar 10, 2009 12:42 am

Lets see if any vundo got left behind.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan on my computer

Post by avak101 on Wed Mar 11, 2009 12:02 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by MAHVEER at 20:00:44.82 on Tue 03/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.964 [GMT -4:00]

FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\XPHOME\system32\svchost -k DcomLaunch
svchost.exe
C:\XPHOME\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\XPHOME\system32\ZoneLabs\vsmon.exe
C:\XPHOME\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\XPHOME\System32\oodag.exe
C:\XPHOME\system32\svchost.exe -k imgsvc
C:\XPHOME\system32\rundll32.exe
C:\XPHOME\system32\wscntfy.exe
C:\XPHOME\system32\WgaTray.exe
C:\XPHOME\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\XPHOME\System32\LVCOMSX.EXE
C:\XPHOME\System32\oodtray.exe
C:\XPHOME\BCMSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\XPHOME\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MAHVEER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Idea2 SidebarBrowserMonitor Class: {45ad732c-2ce2-4666-b366-b2214ad57a49} - c:\program files\desktop sidebar\sbhelp.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\xphome\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\mahveer\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRunOnce: [FlashPlayerUpdate] c:\xphome\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [KONICA MINOLTA magicolor 2400W STD] c:\xphome\system32\MSTMON_S.EXE STARTUP
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus CX6400] c:\xphome\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB003" /M "Stylus CX6400"
mRun: [LVCOMSX] c:\xphome\system32\LVCOMSX.EXE
mRun: [OODefragTray] c:\xphome\system32\oodtray.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {09FE188B-6E85-479e-9411-51FB2220DF80} - {45AD732C-2CE2-4666-B366-B2214AD57A49} - c:\program files\desktop sidebar\sbhelp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: carebridge.net\sra
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {33564D57-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
TCP: {649A34FC-784A-4030-8DB5-8C94BCEE44EA} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: byXQHwVO - byXQHwVO.dll
AppInit_DLLs: yfaesn.dll c:\xphome\system32\tizutere.dll yxakkn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\xphome\system32\tizutere.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mahveer\applic~1\mozilla\firefox\profiles\vjfa61d7.default\

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_550_11905;Juniper Networks TDI Filter Driver (NEOFLTR_550_11905);c:\xphome\system32\drivers\NEOFLTR_550_11905.sys [2007-6-22 63008]
R1 vsdatant;vsdatant;c:\xphome\system32\vsdatant.sys [2007-4-19 394952]
R2 vsmon;TrueVector Internet Monitor;c:\xphome\system32\zonelabs\vsmon.exe -service --> c:\xphome\system32\zonelabs\vsmon.exe -service [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\xphome\system32\drivers\nsdriver.sys --> c:\xphome\system32\drivers\NSDriver.sys [?]

=============== Created Last 30 ================

2009-03-05 18:46 --d----- c:\docume~1\mahveer\applic~1\TeamViewer
2009-03-05 18:46 --d----- c:\documents and settings\mahveer\temp
2009-02-18 20:48 124,416 a------- c:\xphome\system32\szdcgb.dll
2009-02-18 20:48 124,416 a------- c:\xphome\system32\mctgwlcb.dll
2009-02-18 20:45 1,616,970 ---sh--- c:\xphome\system32\fgaaurah.ini
2009-02-18 08:48 1,614,650 ---sh--- c:\xphome\system32\oxsplhhw.ini
2009-02-18 08:45 124,928 a------- c:\xphome\system32\unbccu.dll
2009-02-18 08:45 124,928 a------- c:\xphome\system32\codikmtg.dll
2009-02-17 20:49 123,392 a------- c:\xphome\system32\gcnioc.dll
2009-02-17 20:49 123,392 a------- c:\xphome\system32\uhyenyev.dll
2009-02-17 20:46 1,608,777 ---sh--- c:\xphome\system32\rgmvpuyv.ini
2009-02-17 08:48 1,594,582 ---sh--- c:\xphome\system32\ykfeevfe.ini
2009-02-17 08:45 124,416 a------- c:\xphome\system32\fosudk.dll
2009-02-17 08:45 124,416 a------- c:\xphome\system32\vwocjtsl.dll
2009-02-16 20:48 122,880 a------- c:\xphome\system32\ldvoyn.dll
2009-02-16 20:48 122,880 a------- c:\xphome\system32\vilyonvy.dll
2009-02-16 20:45 1,594,562 ---sh--- c:\xphome\system32\ettfmcag.ini
2009-02-16 08:48 1,588,126 ---sh--- c:\xphome\system32\ljxuqvic.ini
2009-02-16 08:45 123,904 a------- c:\xphome\system32\mpxtli.dll
2009-02-16 08:45 123,904 a------- c:\xphome\system32\cuoqdagy.dll
2009-02-15 20:48 1,588,060 ---sh--- c:\xphome\system32\rqnekxvl.ini
2009-02-15 20:45 124,416 a------- c:\xphome\system32\taevhy.dll
2009-02-15 20:45 124,416 a------- c:\xphome\system32\mpcalbpq.dll
2009-02-15 08:48 1,588,060 ---sh--- c:\xphome\system32\yhcgtynx.ini
2009-02-15 08:45 124,416 a------- c:\xphome\system32\ikcbje.dll
2009-02-15 08:45 124,416 a------- c:\xphome\system32\nlcgepcu.dll
2009-02-14 20:48 1,588,060 ---sh--- c:\xphome\system32\jcwkuhbc.ini
2009-02-14 20:45 128,512 a------- c:\xphome\system32\vygpnvvp.dll
2009-02-14 20:45 128,512 a------- c:\xphome\system32\dmtcjd.dll
2009-02-14 08:45 128,512 a------- c:\xphome\system32\kdqowl.dll
2009-02-14 08:45 128,512 a------- c:\xphome\system32\abnlsely.dll
2009-02-14 08:43 1,588,060 ---sh--- c:\xphome\system32\ycojjynp.ini
2009-02-13 20:48 1,588,060 ---sh--- c:\xphome\system32\subwujsq.ini
2009-02-13 20:45 126,464 a------- c:\xphome\system32\snayir.dll
2009-02-13 20:45 126,464 a------- c:\xphome\system32\ffppjunk.dll
2009-02-12 20:46 1,588,060 ---sh--- c:\xphome\system32\clejyxwc.ini
2009-02-12 20:44 124,416 a------- c:\xphome\system32\rirhjg.dll
2009-02-12 20:44 124,416 a------- c:\xphome\system32\mdpcjoth.dll
2009-02-11 19:57 125,440 a------- c:\xphome\system32\uhwhxd.dll
2009-02-11 19:57 125,440 a------- c:\xphome\system32\rdogxpot.dll
2009-02-10 21:32 126,464 a------- c:\xphome\system32\bmckxs.dll
2009-02-10 21:32 126,464 a------- c:\xphome\system32\gaehfryc.dll
2009-02-10 21:29 1,530,380 ---sh--- c:\xphome\system32\oclkmscr.ini

==================== Find3M ====================

2009-02-23 14:30 4,212 ----h--- c:\xphome\system32\zllictbl.dat
2009-01-14 17:11 38,496 a------- c:\xphome\system32\drivers\mbamswissarmy.sys
2009-01-14 17:11 15,504 a------- c:\xphome\system32\drivers\mbam.sys
2008-12-25 18:28 737,280 a------- c:\xphome\iun6002.exe
2007-03-09 19:49 100,352 a--sh--- c:\xphome\system32\juwuroja.dll
2007-03-08 18:02 142,848 a--sh--- c:\xphome\system32\kewohewu.dll
2007-03-08 18:02 102,400 a--sh--- c:\xphome\system32\lodijipo.dll
2007-03-08 18:02 142,848 a--sh--- c:\xphome\system32\touvey.dll
2007-03-08 18:02 105,984 a--sh--- c:\xphome\system32\wunibadi.dll.vir

============= FINISH: 20:01:29.78 ===============

avak101
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-31
OS OS : windows xp
Points Points : 28963
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan on my computer

Post by Belahzur on Wed Mar 11, 2009 12:36 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\xphome\system32\juwuroja.dll
    c:\xphome\system32\kewohewu.dll
    c:\xphome\system32\lodijipo.dll
    c:\xphome\system32\touvey.dll
    c:\xphome\system32\wunibadi.dll.vir
    c:\xphome\system32\zllictbl.dat
    c:\xphome\system32\szdcgb.dll
    c:\xphome\system32\mctgwlcb.dll
    c:\xphome\system32\fgaaurah.ini
    c:\xphome\system32\oxsplhhw.ini
    c:\xphome\system32\unbccu.dll
    c:\xphome\system32\codikmtg.dll
    c:\xphome\system32\gcnioc.dll
    c:\xphome\system32\uhyenyev.dll
    c:\xphome\system32\rgmvpuyv.ini
    c:\xphome\system32\ykfeevfe.ini
    c:\xphome\system32\fosudk.dll
    c:\xphome\system32\vwocjtsl.dll
    c:\xphome\system32\ldvoyn.dll
    c:\xphome\system32\vilyonvy.dll
    c:\xphome\system32\ettfmcag.ini
    c:\xphome\system32\ljxuqvic.ini
    c:\xphome\system32\mpxtli.dll
    c:\xphome\system32\cuoqdagy.dll
    c:\xphome\system32\rqnekxvl.ini
    c:\xphome\system32\taevhy.dll
    c:\xphome\system32\mpcalbpq.dll
    c:\xphome\system32\yhcgtynx.ini
    c:\xphome\system32\ikcbje.dll
    c:\xphome\system32\nlcgepcu.dll
    c:\xphome\system32\jcwkuhbc.ini
    c:\xphome\system32\vygpnvvp.dll
    c:\xphome\system32\dmtcjd.dll
    c:\xphome\system32\kdqowl.dll
    c:\xphome\system32\abnlsely.dll
    c:\xphome\system32\ycojjynp.ini
    c:\xphome\system32\subwujsq.ini
    c:\xphome\system32\snayir.dll
    c:\xphome\system32\ffppjunk.dll
    c:\xphome\system32\clejyxwc.ini
    c:\xphome\system32\rirhjg.dll
    c:\xphome\system32\mdpcjoth.dll
    c:\xphome\system32\uhwhxd.dll
    c:\xphome\system32\rdogxpot.dll
    c:\xphome\system32\bmckxs.dll
    c:\xphome\system32\gaehfryc.dll
    c:\xphome\system32\oclkmscr.ini

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byXQHwVO]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    "AppInit_DLLs"=""
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan on my computer

Post by avak101 on Wed Mar 11, 2009 9:44 pm

So i used the program and it ran but then it stopped responding and i could not copy you the results.

avak101
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-31
OS OS : windows xp
Points Points : 28963
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan on my computer

Post by Belahzur on Wed Mar 11, 2009 9:46 pm

Please run DDS again, the files should have been moved even though we got no report.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan on my computer

Post by avak101 on Wed Mar 11, 2009 9:48 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by MAHVEER at 17:47:19.96 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.907 [GMT -4:00]

FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\XPHOME\system32\svchost -k DcomLaunch
svchost.exe
C:\XPHOME\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\XPHOME\system32\ZoneLabs\vsmon.exe
C:\XPHOME\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\XPHOME\System32\oodag.exe
C:\XPHOME\system32\svchost.exe -k imgsvc
C:\XPHOME\system32\rundll32.exe
C:\XPHOME\system32\wscntfy.exe
C:\XPHOME\system32\WgaTray.exe
C:\XPHOME\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\XPHOME\System32\LVCOMSX.EXE
C:\XPHOME\System32\oodtray.exe
C:\XPHOME\BCMSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\XPHOME\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MAHVEER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Idea2 SidebarBrowserMonitor Class: {45ad732c-2ce2-4666-b366-b2214ad57a49} - c:\program files\desktop sidebar\sbhelp.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\xphome\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\xphome\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [KONICA MINOLTA magicolor 2400W STD] c:\xphome\system32\MSTMON_S.EXE STARTUP
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus CX6400] c:\xphome\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB003" /M "Stylus CX6400"
mRun: [LVCOMSX] c:\xphome\system32\LVCOMSX.EXE
mRun: [OODefragTray] c:\xphome\system32\oodtray.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRunOnce: [OTMoveIt] c:\documents and settings\mahveer\desktop\OTMoveIt3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {09FE188B-6E85-479e-9411-51FB2220DF80} - {45AD732C-2CE2-4666-B366-B2214AD57A49} - c:\program files\desktop sidebar\sbhelp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: carebridge.net\sra
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {33564D57-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
TCP: {649A34FC-784A-4030-8DB5-8C94BCEE44EA} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mahveer\applic~1\mozilla\firefox\profiles\vjfa61d7.default\

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_550_11905;Juniper Networks TDI Filter Driver (NEOFLTR_550_11905);c:\xphome\system32\drivers\NEOFLTR_550_11905.sys [2007-6-22 63008]
R1 vsdatant;vsdatant;c:\xphome\system32\vsdatant.sys [2007-4-19 394952]
R2 vsmon;TrueVector Internet Monitor;c:\xphome\system32\zonelabs\vsmon.exe -service --> c:\xphome\system32\zonelabs\vsmon.exe -service [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\xphome\system32\drivers\nsdriver.sys --> c:\xphome\system32\drivers\NSDriver.sys [?]

=============== Created Last 30 ================

2009-03-11 15:53 --d----- C:\_OTMoveIt
2009-03-05 18:46 --d----- c:\docume~1\mahveer\applic~1\TeamViewer
2009-03-05 18:46 --d----- c:\documents and settings\mahveer\temp

==================== Find3M ====================

2009-02-23 14:30 4,212 ----h--- c:\xphome\system32\zllictbl.dat
2009-01-14 17:11 38,496 a------- c:\xphome\system32\drivers\mbamswissarmy.sys
2009-01-14 17:11 15,504 a------- c:\xphome\system32\drivers\mbam.sys
2008-12-25 18:28 737,280 a------- c:\xphome\iun6002.exe

============= FINISH: 17:47:43.44 ===============

avak101
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-31
OS OS : windows xp
Points Points : 28963
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan on my computer

Post by Belahzur on Wed Mar 11, 2009 9:52 pm

Hello.
The malware is gone, but we have to install and AV now, but first, lets remove the OTMoveIt from the run key.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OTMoveIt"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Please install Avira.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support

Install and update it, allow it to download updates because Zonealarm is likely to alert you something is trying to download to your machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum