Tough To Remove Trojan / Adware [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

3 Pages

1 2 3 >

Tough To Remove Trojan / Adware [RESOLVED]

Options

Setec View Member Profile	Oct 4 2007, 05:49 AM Post #1
Member Posts: 19 OS: Windows XP	The problems started out with all of my google searches getting hijacked and redirected to an ad website. I checked recently installed programs and found Outerinfo. This was easily removed after I found your guide on How To Remove Outerinfo. I ran Kaspersky, which found remanants of an old email virus (which I have not been able to locate and doesn't seem to be active) but nothing else. Good to go, right? That night, when AVG (anti-virus) ran, it picked up a few files, which it labeled as BHO.BIE trojans. I told it to Heal. Rebooted. AVG is now warning me about those same files approximately every minute. I've tried Heal and Quarantine to no avail. After repeatedly clicking Ignore for about an hour, I just closed AVG until I can get the system clean. I went through the recommended steps in the You Must Read This post. The final scan from ActiveScan still shows several adware items (although it appears to have fixed the trojans), so here I am. I also ran VundoFix for good measure. It didn't find anything. This site has been a great help in the past, just by reading some of the other posts. Thanks for your help with this problem. -Setec (Going back, it appears that I didn't get to save the logfile from AVG Anti-Spyware after I told it to fix the stuff it found. If needed, I can re-run it.) ------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 10:05:17 PM, on 10/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\PELMICED.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitTorrent\bittorrent.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll O2 - BHO: (no name) - {D962C255-D8C0-4D52-8B03-93F17D917624} - C:\WINDOWS\system32\dplayxk.dll O2 - BHO: (no name) - {EF0B85D8-FBEC-4259-829C-B3AC1DE6F8A4} - c:\windows\system32\apcupss.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SecureOnlineAccountNumbers] C:\Program Files\Secure Online Account Numbers\SOAN.exe /dontopenmycards O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: HOTSYNC.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Secure Online Account Numbers\SOAN.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124234332544 O16 - DPF: {9B8D3E79-A732-4EC0-AEEE-8AF8CDF10D8A} (PalmSourceInstallerX) - http://installer.palmsource.com/PSIWebStub.dll O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{437C6E47-30C2-46A2-A3B8-7F77908017E7}: NameServer = 192.168.0.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: cadtsudt - C:\WINDOWS\SYSTEM32\apcupss.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe ------------------------------------------------------------ SUPERAntiSpyware Scan Log Generated 10/04/2007 at 00:44 AM Application Version : 3.6.1000 Core Rules Database Version : 3318 Trace Rules Database Version: 1319 Scan type : Complete Scan Total Scan Time : 00:32:52 Memory items scanned : 570 Memory threats detected : 1 Registry items scanned : 6269 Registry threats detected : 88 File items scanned : 35380 File threats detected : 2 Trojan.Spam-MultiSite/Gen C:\WINDOWS\SYSTEM32\APCUPSS.DLL C:\WINDOWS\SYSTEM32\APCUPSS.DLL Adware.MyWay HKLM\Software\Classes\CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\TypeLib C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL HKLM\Software\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\TypeLib HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} HKLM\Software\Microsoft\Internet Explorer\Toolbar#{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC} HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\win32 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\FLAGS HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\HELPDIR HKCR\MyWayToolBar.NetscapeShutdown HKCR\MyWayToolBar.NetscapeShutdown\CLSID HKCR\MyWayToolBar.NetscapeShutdown\CurVer HKCR\MyWayToolBar.NetscapeShutdown.1 HKCR\MyWayToolBar.NetscapeShutdown.1\CLSID HKCR\MyWayToolBar.NetscapeStartup HKCR\MyWayToolBar.NetscapeStartup\CLSID HKCR\MyWayToolBar.NetscapeStartup\CurVer HKCR\MyWayToolBar.NetscapeStartup.1 HKCR\MyWayToolBar.NetscapeStartup.1\CLSID HKCR\MyWayToolBar.SettingsPlugin HKCR\MyWayToolBar.SettingsPlugin\CLSID HKCR\MyWayToolBar.SettingsPlugin\CurVer HKCR\MyWayToolBar.SettingsPlugin.1 HKCR\MyWayToolBar.SettingsPlugin.1\CLSID HKCR\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10} HKCR\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}\InProcServer32 HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout ----------------------------------------------------------------- ActiveScan Log: Incident -- Status -- Location Potentially unwanted tool:application/altnet -- Not disinfected -- c:\windows\smdat32a.sys Potentially unwanted tool:application/bestoffer -- Not disinfected -- c:\windows\smdat32m.sys Adware:adware/cydoor -- Not disinfected -- c:\windows\cdmxtras Potentially unwanted tool:application/myway -- Not disinfected -- hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76} Virus:trj/downloader.coy -- Disinfected -- Operating system Adware:adware/instafinder -- Not disinfected -- Windows Registry Potentially unwanted tool:Application/NirCmd.A -- Not disinfected -- C:\Documents and Settings\Andy\Desktop\ComboFix.exe[nircmd.exe] Potentially unwanted tool:Application/NirCmd.A -- Not disinfected -- C:\Documents and Settings\Andy\Desktop\ComboFix.exe[nircmd.cfexe] Potentially unwanted tool:Application/NirCmd.A -- Not disinfected -- C:\WINDOWS\NirCmd.exe Virus:Trj/Downloader.PME -- Disinfected -- D:\Write\Mel Backup\Program Files\WildTangent\LFS\Wildtangent\Cdacache\15.DAT Hacktool:HackTool/KillProcWin.A -- Not disinfected -- D:\Write\Mel Backup\Program Files\WildTangent\LFS\Wildtangent\Cdacache\18.DAT[simple_killw.exe]

sarahw View Member Profile	Oct 4 2007, 12:02 PM Post #2
Malware Staff Posts: 2,618 From: The center of the earth OS: Vista, Xp, 98, 3.1, Dos 5.1	Hi Setec, Welcome to the site I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I want you to show hidden files. There are instructions HERE to help you do this. You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in safe mode so you will be unable to access this thread at that time. These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. This post has been edited by sarahw: Oct 5 2007, 01:53 AM

sarahw View Member Profile	Oct 4 2007, 12:17 PM Post #3
Malware Staff Posts: 2,618 From: The center of the earth OS: Vista, Xp, 98, 3.1, Dos 5.1	Before we begin this fix, can you please save these instructions in Notepad to your desktop, or print them, for reference. Some of this fix will be done in Safe mode, where you will not be able to access this thread on the internet. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below: O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode. Please click on >> Start >> Control Panel Go to Add/Remove Programs locate and then uninstall the following programs(if present): BitTorrent Please tell me of any other programs that you dont recognize in that list in your next response Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present): C:\Program Files\MyWay When you are finished, please reboot the computer as you normally would. Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Please let me know of any problems you may have encountered or questions you want to ask.

Setec View Member Profile	Oct 4 2007, 05:23 PM Post #4
Member Posts: 19 OS: Windows XP	I want to confirm that it's necessary to uninstall Bittorrent. I installed this program and do use it. If so, just let me know, but I wanted to double-check before removing it. Other than that, I followed the instructions. It seems that I posted an old (by about 45 minutes) HijackThis log to the post. 2 of the 3 items you wanted me to remove had already been removed (by ActiveScan, I think). VundoFix still didn't find any problems. I didn't find any programs in the uninstall list that I didn't put there. The virus warnings still persist from AVG. --------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:18:18 PM, on 10/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\PELMICED.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll O2 - BHO: (no name) - {D962C255-D8C0-4D52-8B03-93F17D917624} - C:\WINDOWS\system32\dplayxk.dll O2 - BHO: (no name) - {EF0B85D8-FBEC-4259-829C-B3AC1DE6F8A4} - c:\windows\system32\apcupss.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SecureOnlineAccountNumbers] C:\Program Files\Secure Online Account Numbers\SOAN.exe /dontopenmycards O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: HOTSYNC.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Secure Online Account Numbers\SOAN.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191498034125 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9B8D3E79-A732-4EC0-AEEE-8AF8CDF10D8A} (PalmSourceInstallerX) - http://installer.palmsource.com/PSIWebStub.dll O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{437C6E47-30C2-46A2-A3B8-7F77908017E7}: NameServer = 192.168.0.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: cadtsudt - C:\WINDOWS\SYSTEM32\apcupss.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe ------------------------------------------------ VundoFix V6.5.9 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Java version is 1.5.0.11 Scan started at 7:14:50 PM 10/4/2007 Listing files found while scanning.... No infected files were found. Beginning removal...

sarahw View Member Profile	Oct 5 2007, 01:43 AM Post #5
Malware Staff Posts: 2,618 From: The center of the earth OS: Vista, Xp, 98, 3.1, Dos 5.1	Hi, It is neccessary to uninstall Bit Torrent as that is a likely source of infection for most users. These Vundofix instructions are a little bit different than last time: Updating Java and Clearing Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon. Please find the update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Please open VundoFix.exe. Click on the white box and select add more files. Add these files: O2 - BHO: (no name) - {D962C255-D8C0-4D52-8B03-93F17D917624} - C:\WINDOWS\system32\dplayxk.dll O2 - BHO: (no name) - {EF0B85D8-FBEC-4259-829C-B3AC1DE6F8A4} - c:\windows\system32\apcupss.dllC:\WINDOWS\system32\gqjrsda.dll Click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. This post has been edited by sarahw: Oct 5 2007, 01:55 AM

Setec View Member Profile	Oct 7 2007, 07:45 PM Post #6
Member Posts: 19 OS: Windows XP	I followed the instructions, after first uninstalling Bittorrent from safe mode. It appears that the infection is still there. I also still see the 2 files in the Hijack This log. On reviewing the VundoFix log, it still shows the recommendation to remove all old versions of Java. Should I go in and uninstall all of the old versions? ------------------------------------------------------ VundoFix V6.5.9 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Java version is 1.5.0.11 Scan started at 7:14:50 PM 10/4/2007 Listing files found while scanning.... No infected files were found. Beginning removal... Beginning removal... Performing Repairs to the registry. Done! ------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:40:05 PM, on 10/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\PELMICED.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Secure Online Account Numbers\SOAN.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll O2 - BHO: (no name) - {D962C255-D8C0-4D52-8B03-93F17D917624} - C:\WINDOWS\system32\dplayxk.dll O2 - BHO: (no name) - {EF0B85D8-FBEC-4259-829C-B3AC1DE6F8A4} - c:\windows\system32\apcupss.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SecureOnlineAccountNumbers] C:\Program Files\Secure Online Account Numbers\SOAN.exe /dontopenmycards O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: HOTSYNC.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Secure Online Account Numbers\SOAN.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191498034125 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9B8D3E79-A732-4EC0-AEEE-8AF8CDF10D8A} (PalmSourceInstallerX) - http://installer.palmsource.com/PSIWebStub.dll O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{437C6E47-30C2-46A2-A3B8-7F77908017E7}: NameServer = 192.168.0.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: cadtsudt - C:\WINDOWS\SYSTEM32\apcupss.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

sarahw View Member Profile	Oct 8 2007, 10:55 AM Post #7
Malware Staff Posts: 2,618 From: The center of the earth OS: Vista, Xp, 98, 3.1, Dos 5.1	Hi, Yes can you please remove all old versions of Java. Keep the current version which is 1.6.0 03. 1. First download AVG Anti-Spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Save it somewhere oyu will remember like your desktop. Do not run it yet, we will use it later. 3. Please go to UploadMalware to upload a suspicious file for analysis. Enter your username from this forum: Setec Copy and paste the link to this thread: http://www.geekstogo.com/forum/Tough-To-Remove-Trojan-Adware-t172617.html Browse for these filenames: C:\WINDOWS\system32\dplayxk.dll c:\windows\system32\apcupss.dll C:\WINDOWS\SYSTEM32\apcupss.dll In the comments, please mention that I asked you to upload this file: SarahW Click on Send File 4. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode. 5. Please open ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 6. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. 7. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. In a reply, post the AVG report, the DSS scan, and a fresh Hijack This log.

Setec

Oct 8 2007, 07:47 PM