Norton auto protect "downloader"

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

< 1 2

Norton auto protect "downloader"

Options

MoNsTeReNeRgY22 View Member Profile	Aug 5 2007, 08:33 PM Post #17
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Hello, Please re-open Hijackthis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {AFF337E8-DAF2-40AC-ADA5-DEE3399E9131} - C:\WINDOWS\system32\geeby.dll (file missing) O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\nnnnnml.dll (file missing) Now close all windows other than Hijackthis, then click Fix Checked. Close Hijackthis. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window. Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:" In that window, copy and paste the following file path in the first (top) field: C:\WINDOWS\system32\pmnkljh.dll Now copy and paste the following file path in the second field: C:\WINDOWS\system32\khfcaby.dll Click the 'Add Files' button. Click the 'Close Window' button. Click the 'Remove Vundo' button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a fresh DSS Log and the vundofix txt.

someone666 View Member Profile	Aug 5 2007, 11:36 PM Post #18
Member Posts: 14 OS: Windows XP	Kapersky Report KASPERSKY ONLINE SCANNER REPORT Sunday, August 05, 2007 10:33:15 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 6/08/2007 Kaspersky Anti-Virus database records: 373348 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan Statistics Total number of scanned objects 103426 Number of viruses found 24 Number of infected objects 72 Number of suspicious objects 4 Duration of the scan process 02:07:26 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/avp.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip/win8.tmp.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-08-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7A1756C5.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7B855497.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Desktop\hijackthis_199\backups\backup-20070804-161857-106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\Documents and Settings\Owner\Desktop\hijackthis_199\backups\backup-20070804-213247-878.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\Documents and Settings\Owner\Desktop\hijackthis_199\backups\backup-20070805-141254-336.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\jknsltbv.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Documents and Settings\Owner\Local Settings\Temp\ucxvhynb.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Documents and Settings\Owner\Local Settings\Temp\ynttgpkb.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\CKPWHVPA.0XE Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\CTWOPRFJ.0XE Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\DQCNWTOJ.0XE Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\FHMVOYDA.0XE Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\FJWUEGFF.0XE Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\LMBWSTUN.0XE Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\PFKHGOOH.0XE Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\TITUNXQF.0XE Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc24\TOUDBTII.0XE Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc32\WIN42.TMP.0XE Infected: Trojan.Win32.Dialer.qn skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc32\WIN44.TMP.0XE Infected: Trojan.Win32.Agent.qt skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc4\WIN2D.TMP.0XE Infected: Trojan.Win32.Dialer.qn skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc4\WINC.TMP.0XE Infected: Trojan.Win32.Dialer.qn skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc51\wnd11.tmp Infected: Trojan.Win32.Dialer.qn skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc60\mljgeee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc60\ssqrpnl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\RECYCLER\S-1-5-21-993892320-3267722304-1471789510-1003\Dc60\WINGDM32.0LL Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP757\A0149770.exe Infected: not-a-virus:AdTool.Win32.WhenU.k skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0160992.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161001.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161002.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161009.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161010.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161011.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161012.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.z skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161013.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161014.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161015.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161016.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161017.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161018.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161019.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161020.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161021.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161022.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161024.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161025.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161026.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161027.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.t skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161028.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161030.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161031.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161033.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161034.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP787\A0161036.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165572.exe/MeMediaSetup.exe Infected: not-a-virus:AdTool.Win32.WhenU.k skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165572.exe CAB: infected - 1 skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165589.exe/MeMediaSetup.exe Infected: not-a-virus:AdTool.Win32.WhenU.k skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165589.exe CAB: infected - 1 skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165620.exe/MeMediaSetup.exe Infected: not-a-virus:AdTool.Win32.WhenU.k skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165620.exe CAB: infected - 1 skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP798\A0165623.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP808\A0165842.exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP809\A0165905.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP811\A0166002.exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0166895.dll Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0166896.exe Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0166897.exe Infected: Trojan.Win32.Agent.qt skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166944.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166974.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166975.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\change.log Object is locked skipped C:\VundoFix Backups\khfcaby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\VundoFix Backups\nnnnnml.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\VundoFix Backups\pmnkljh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Vundo Fix VundoFix V6.5.6 Checking Java version... Scan started at 2:25:20 PM 8/5/2007 Listing files found while scanning.... C:\WINDOWS\system32\geeby.dll C:\WINDOWS\system32\ybeeg.bak1 C:\WINDOWS\system32\ybeeg.bak2 C:\WINDOWS\system32\ybeeg.ini C:\WINDOWS\system32\ybeeg.ini2 C:\WINDOWS\system32\ybeeg.tmp Beginning removal... Attempting to delete C:\WINDOWS\system32\geeby.dll C:\WINDOWS\system32\geeby.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\nnnnnml.dll C:\WINDOWS\system32\nnnnnml.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ybeeg.bak1 C:\WINDOWS\system32\ybeeg.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ybeeg.bak2 C:\WINDOWS\system32\ybeeg.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ybeeg.ini C:\WINDOWS\system32\ybeeg.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ybeeg.ini2 C:\WINDOWS\system32\ybeeg.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ybeeg.tmp C:\WINDOWS\system32\ybeeg.tmp Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.5.6 Checking Java version... Scan started at 7:40:43 PM 8/5/2007 Listing files found while scanning.... No infected files were found. Beginning removal... Attempting to delete C:\WINDOWS\system32\khfcaby.dll C:\WINDOWS\system32\khfcaby.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\pmnkljh.dll C:\WINDOWS\system32\pmnkljh.dll Has been deleted! Performing Repairs to the registry. Done!

MoNsTeReNeRgY22 View Member Profile	Aug 6 2007, 01:05 AM Post #20
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Hey someone666, Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website). Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next". You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers). Copy and paste this log in your next reply along with a fresh HJT log. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

someone666 View Member Profile	Aug 6 2007, 02:27 PM Post #21
Member Posts: 14 OS: Windows XP	Logfile of HijackThis v1.99.1 Scan saved at 1:26:37 PM, on 8/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\LXSUPMON.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\Grxp4exe.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184007436171 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: bw+0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw+0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw-0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw-0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw00 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw00s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw10 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw10s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw20 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw20s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw30 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw30s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw40 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw40s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw50 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw50s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw60 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw60s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw70 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw70s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw80 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw80s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw90 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bw90s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwa0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwa0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwb0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwb0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwc0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwc0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwd0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwd0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwe0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwe0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwf0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwf0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file) O18 - Protocol: bwg0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwg0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwh0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwh0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwi0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwi0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwj0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwj0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwk0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwk0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwl0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwl0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwm0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwm0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwn0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwn0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwo0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwo0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwp0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwp0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwq0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwq0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwr0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwr0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bws0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bws0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwt0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwt0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwu0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwu0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwv0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwv0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bww0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bww0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwx0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwx0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwy0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwy0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwz0 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: bwz0s - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: offline-8876480 - {6729C3F3-1D20-47E3-A097-A4A2A3F13C90} - (no file) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing) O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing) O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe Black light 08/06/07 13:07:20 [Info]: BlackLight Engine 1.0.64 initialized 08/06/07 13:07:20 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/06/07 13:07:20 [Note]: 7019 4 08/06/07 13:07:20 [Note]: 7005 0 08/06/07 13:07:25 [Note]: 7006 0 08/06/07 13:07:25 [Note]: 7011 1476 08/06/07 13:07:25 [Note]: 7026 0 08/06/07 13:07:26 [Note]: 7026 0 08/06/07 13:07:29 [Note]: FSRAW library version 1.7.1022 08/06/07 13:20:19 [Note]: 7007 0 I was wondering if its normal that i have about 5 instances of svchost running right now? one is taking about 25,000K mem and the rest are between 4000 and 5000. This post has been edited by someone666: Aug 6 2007, 02:33 PM

MoNsTeReNeRgY22 View Member Profile	Aug 7 2007, 08:20 PM Post #22
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Hello, Yes, multiple svchost is quite normal, but if it was like SVCHOST or svchosts, then it may be a trojan or virus. Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program.

someone666 View Member Profile	Aug 7 2007, 10:48 PM Post #23
Member Posts: 14 OS: Windows XP	Thank you Monsterenergy SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/07/2007 at 09:36 PM Application Version : 3.9.1008 Core Rules Database Version : 3281 Trace Rules Database Version: 1292 Scan type : Complete Scan Total Scan Time : 01:51:58 Memory items scanned : 505 Memory threats detected : 0 Registry items scanned : 5548 Registry threats detected : 5 File items scanned : 98453 File threats detected : 20 Adware.Vundo Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E9BD0828-1FD9-410C-A50F-43EBE65D310F} Adware.Tracking Cookie C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt C:\Documents and Settings\Naomi\Cookies\naomi@acvs.mediaonenetwork[1].txt C:\Documents and Settings\Naomi\Cookies\naomi@belnk[1].txt C:\Documents and Settings\Naomi\Cookies\naomi@crack_serial[1].txt C:\Documents and Settings\Naomi\Cookies\naomi@dist.belnk[2].txt C:\Documents and Settings\Naomi\Cookies\naomi@mediaonenetwork[1].txt C:\Documents and Settings\Naomi\Cookies\naomi@tracking.foxnews[2].txt Trojan.Unknown Origin HKLM\SOFTWARE\Microsoft\MSSMGR HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV Unclassified.Unknown Origin C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\DOWNLOADS\NOAD\NOADWAREV3.0SERIALFFF\KEYGEN.NFO Trojan.Downloader-Gen/AVP C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP808\A0165842.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP811\A0166002.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167091.EXE Trojan.Downloader-Gen/Mandingo C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0166897.EXE Trojan.Downloader-Gen/HitItQuitIt C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166944.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166974.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP820\A0166975.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167102.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167103.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167175.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167178.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP821\A0167180.DLL

MoNsTeReNeRgY22 View Member Profile	Aug 8 2007, 06:43 AM Post #24
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Hello again, Well all the scan found was Tracking Cookies and System Volume Information. You can clean this by doing the following. 1)Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. 2)Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected) Go to Start Menu then to Help and Support Click Undo changes to your computer with System Restore When System Restore opens click Create A Restore Point then Next , Name it and press Create Then go to Start Menu and to Run and type Cleanmgr When Disk Cleanup opens goto the More Options Tab then press Clean Up on the System Restore area which removes all the restore points except the latest one which was just created. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Other than that, your log looks clean ! Good Job! How is it running ? Please use the following suggestion to help prevent reinfection. I highly recommend downloading the following programs, to keep malware of your computer to begin with. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - Very powerful tool which can search and annhilate malware that make it onto your system. Now with an Immunize section that will help prevent future infections. Tutorial on installing & using this product can be found HERE Ad-Aware 2007 Free - Another very powerful tool which searches and kills malware that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. Tutorial on installing & using this product can be found HERE SpywareBlaster - Great prevention tool to keep malware from installing on your system. Tutorial on installing & using this product can be found HERE SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. Tutorial on installing & using this product can be found HERE IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Tutorial on installing & using this product can be found HERE AntiVirus Program An AntiVirus program is a must in today's digital world! I recommend avast! 4 Home Edition, AVG, or Anti-Vir. DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more. Firewall A firewall is definitely a must have to protect your computer from hackers. I recommend Comodo, Zone Alarm, or Outpost. Tutorial on Firewalls can be found HERE Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. You must stay on top of your updates at all times, for the above mentioned applications. It is vitally important to stay on top of your critical updates provided by microsoft. And finally a little How did I get infected in the first place?(by Tony Klein) Good luck and safe surfing

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

< 1 2

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Windows XP, 2000, 2003, NT Norton Auto Protect Disabled	3 / 4,799	1st December 2005 - 04:08 PM airind started - last by SpiritWind1
Virus, Spyware and Trojan Removal Norton auto protect on 2004 professional won't load drivers [CLOSE	2 / 802	15th December 2005 - 08:10 AM airind started - last by Linkmaster
Virus, Spyware and Trojan Removal Norton Auto-Protect [RESOLVED]	6 / 894	4th December 2005 - 10:25 AM nappychick started - last by John McKenna
Virus, Spyware and Trojan Removal Norton Auto- Protect Wont Turn on	0 / 406	1st August 2007 - 02:22 PM Buddyf123 started - last by Buddyf123