Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJack This & BGV.txt Log - Winfixer Removal


  • Please log in to reply

#1
jeninla

jeninla

    New Member

  • Member
  • Pip
  • 3 posts
Hi Geeks To Go,

I have followed the instructions on how to remove 'winfixer' pop ups-- none have been successful thus far. I also get random 'adult friend finder' pop ups (since the winfixer pop ups started)

VundoFix -- didn't work
downloaded "VirtumundoBeGone" -- and the problem still persists.

Below is my "VirtumundoBeGone" (BGV Log)

[03/31/2006, 21:54:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[03/31/2006, 21:54:47] - Detected System Information:
[03/31/2006, 21:54:47] - Windows Version: 5.1.2600, Service Pack 2
[03/31/2006, 21:54:47] - Current Username: Owner (Admin)
[03/31/2006, 21:54:47] - Windows is in NORMAL mode.
[03/31/2006, 21:54:47] - Searching for Browser Helper Objects:
[03/31/2006, 21:54:47] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/31/2006, 21:54:47] - BHO 2: {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} (DosSpecFolder Object)
[03/31/2006, 21:54:47] - BHO 3: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[03/31/2006, 21:54:47] - BHO 4: {827DC836-DD9F-4A68-A602-5812EB50A834} (MSEvents Object)
[03/31/2006, 21:54:47] - ALERT: Found MSEvents Object!
[03/31/2006, 21:54:47] - Finished Searching Browser Helper Objects
[03/31/2006, 21:54:47] - *** Detected MSEvents Object
[03/31/2006, 21:54:47] - Trying to remove MSEvents Object...
[03/31/2006, 21:54:48] - Terminating Process: IEXPLORE.EXE
[03/31/2006, 21:54:49] - Terminating Process: RUNDLL32.EXE
[03/31/2006, 21:54:49] - Disabling Automatic Shell Restart
[03/31/2006, 21:54:50] - Terminating Process: EXPLORER.EXE
[03/31/2006, 21:54:51] - Suspending the NT Session Manager System Service
[03/31/2006, 21:54:51] - Terminating Windows NT Logon/Logoff Manager
[03/31/2006, 21:54:52] - Re-enabling Automatic Shell Restart
[03/31/2006, 21:54:52] - File to disable: C:\WINDOWS\Cursors\vgaeula.dll
[03/31/2006, 21:54:52] - Removing HKLM\...\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
[03/31/2006, 21:54:52] - Removing HKCR\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
[03/31/2006, 21:54:55] - Adding Kill Bit for ActiveX for GUID: {827DC836-DD9F-4A68-A602-5812EB50A834}
[03/31/2006, 21:54:55] - Deleting ATLEvents/MSEvents Registry entries
[03/31/2006, 21:54:56] - Removing HKLM\...\Winlogon\Notify\vgaeula
[03/31/2006, 21:54:56] - Searching for Browser Helper Objects:
[03/31/2006, 21:54:56] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/31/2006, 21:54:56] - BHO 2: {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} (DosSpecFolder Object)
[03/31/2006, 21:54:56] - BHO 3: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[03/31/2006, 21:54:56] - Finished Searching Browser Helper Objects
[03/31/2006, 21:54:56] - Finishing up...
[03/31/2006, 21:54:56] - A restart is needed.
[03/31/2006, 21:55:03] - Attempting to Restart via STOP error (Blue Screen!)

Here is my HIJACK THIS LOG:[/color][color=#CC0000]
Logfile of HijackThis v1.99.1
Scan saved at 10:41:10 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GFVHLQJB\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\yt.dll
O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\mljji.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thanks for all your help!!! Can't wait to fix this problem :whistling:

Jen in LA
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi jeninla :whistling:

Please uninstall the following (click start >>>control panel >>> add/remove programs) If present

WinFixer 2005

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2

Folders to delete:
C:\Program Files\WinFixer 2005


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\mljji.dll
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll


Now close all windows other than HiJackThis, then click Fix Checked




5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#3
jeninla

jeninla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I followed the instructions given -- here is the next step:

My C:/Avenger.txt is as follows:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dvmggixk

*******************

Script file located at: \??\C:\WINDOWS\gbbkoopr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mljji.dll deleted successfully.
File C:\WINDOWS\system32\ijjlm.ini deleted successfully.
File C:\WINDOWS\system32\ijjlm.bak1 deleted successfully.
File C:\WINDOWS\system32\ijjlm.bak2 deleted successfully.


My "fresh" HiJackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:30:58 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GFVHLQJB\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I'll be checking for the next instructions... THANKS AGAIN!!!!!

* Jen IN LA
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi jeninla
:blink:

Looks like it worked :whistling:

If you uninstalled WinFixer 2005 Delete this folder C:\Program Files\WinFixer 2005

Lets do the clean up

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
.
  • 0

#5
jeninla

jeninla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Geeks To Go,

I ran Kaspersky On-line scan -- below is the log/text after the scan was completed:

KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 01, 2006 3:42:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/04/2006
Kaspersky Anti-Virus database records: 185493
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 101668
Number of viruses found: 11
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 01:39:30

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188849.exe Infected: Trojan-Downloader.Win32.Agent.tq skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188850.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188851.exe Infected: Trojan-Downloader.Win32.Agent.tq skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188852.exe Infected: not-a-virus:Downloader.Win32.Agent.d skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188853.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188854.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188855.exe Infected: Trojan-Downloader.Win32.Pacer.j skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188856.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188857.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188858.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188859.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188860.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188861.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188862.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188863.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188864.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188865.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188866.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188867.exe Infected: Trojan-Downloader.Win32.IstBar.mu skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188868.dll Infected: not-a-virus:AdWare.Win32.WinAD.bg skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188869.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188870.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188871.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188872.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188873.exe Infected: not-a-virus:Downloader.Win32.Agent.d skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188874.exe Infected: not-a-virus:Downloader.Win32.Agent.d skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188875.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188876.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188877.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188878.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188879.exe Infected: Trojan-Downloader.Win32.Delmed.a skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188880.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188881.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188882.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188883.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188884.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188885.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP582\A0188886.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped
C:\WINDOWS\system32\awtsr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.av skipped

Scan process completed.

I'll be checking back!!! thanks !!

* Jen In LA
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi jeninla :whistling:

Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on please. Hijack needs to be in it's own folder to create backups.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan

Now close all windows other than HiJackThis, then click Fix Checked



Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Open HiJackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

C:\WINDOWS\system32\

And select the file

awtsr.dll

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.

Afrer the reboot

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
Please post a new Hijack log and tell me how the system is running.

Thanks

Edited by loophole, 01 April 2006 - 06:43 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP