ActiveScan log (as a download because the file is really long and didn't want to just post it here for obvious reasons)
Edited by Blind Melon, 21 September 2006 - 10:49 AM.
Spyware invasion....
Started by
Blind Melon
, Sep 21 2006 10:48 AM
#1
Posted 21 September 2006 - 10:48 AM
Blind Melon
-
- Member
-
- 26 posts
Member
ActiveScan log (as a download because the file is really long and didn't want to just post it here for obvious reasons)
#2
Posted 21 September 2006 - 01:33 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
I've downloaded the Windows spyware thing and giving this a try... the deep scan has taken over an hour so far, and I've work, so I'll see what happens when I get home... any suggestions for another spyware program to get rid of all these spyware would be appreciated... I'm not sure if that place just lies so they make you buy the program, but either way, my computer is still running slow as ever, and I get mad pop ups from time to time.
#3
Posted 25 September 2006 - 11:35 AM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hi and welcome 
Download Hijack This from http://www.thespykil...es/HJTSetup.exe
Save the setup file on your desktop
Double click on it and by default it should install to C:\Program Files\Hijack This
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start Hijack This
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad
Go to Edit, Select All and then Edit, Paste to paste the contents of the log here
Make sure you DO NOT fix anything with Hijack This yet. Most of the things in the log are normal or required.
Let me know what you have done since post to try rectify your issues.
-------------------------
I edited that panda scan log and for the record I'll post it here.
I just removed the cookies.
For future log files if they are too big to post; please attach the log to your reply here rather than download sites.
The option is near the bottom of your reply window. "File attachments".
Thanks
Download Hijack This from http://www.thespykil...es/HJTSetup.exe
Save the setup file on your desktop
Double click on it and by default it should install to C:\Program Files\Hijack This
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start Hijack This
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad
Go to Edit, Select All and then Edit, Paste to paste the contents of the log here
Make sure you DO NOT fix anything with Hijack This yet. Most of the things in the log are normal or required.
Let me know what you have done since post to try rectify your issues.
-------------------------
I edited that panda scan log and for the record I'll post it here.
I just removed the cookies.
Incident Status Location
Adware:Adware/Sqwire Not disinfected c:\progra~1\common~1\qzkf\qzkfm.exe
Adware:Adware/Sqwire Not disinfected C:\PROGRA~1\COMMON~1\qzkf\qzkfa.exe
Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/intcodec Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeff\Local Settings\Application Data\Mozilla\Firefox\Profiles\rpb24qzy.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Jeff\Local Settings\Application Data\Mozilla\Firefox\Profiles\rpb24qzy.default\Cache\B23E4567d01
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeff\My Documents\My Received Files\click.php[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeff\My Documents\My Received Files\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeff\My Documents\My Received Files\smitRem.exe[smitRem/Process.exe]
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\qzkf\qzkfa.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\qzkf\qzkfl.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\qzkf\qzkfm.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\qzkf\qzkfp.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{D80B14B2-08A3-1033-0822-050923050001}\services.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SmVm\mApA.vbs
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx7.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\urroxtl.dll_tobedeleted
For future log files if they are too big to post; please attach the log to your reply here rather than download sites.
The option is near the bottom of your reply window. "File attachments".
Thanks
#4
Posted 25 September 2006 - 03:22 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
Hey, thanks for the welcoming and the response. I've downloaded it and here's the txt file.
Logfile of HijackThis v1.99.1
Scan saved at 5:21:40 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
C:\Program Files\Hijackthis\HijackThis.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logfile of HijackThis v1.99.1
Scan saved at 5:21:40 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
C:\Program Files\Hijackthis\HijackThis.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
#5
Posted 26 September 2006 - 07:11 AM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hello
Quite a few nasties still; it will take a few tools to clean it all up.
Download Ewido from here and save it to the desktop:
http://www.ewido.net/en/download/
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
You should be told "Update successful"
Click "Scanner" icon at the top of the screen, then select the "Settings" tab
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the " Scan" tab then click on " Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select " Apply all actions"
Next select the " Reports" icon at the top.
Select the " Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Reboot the system and post the Ewido log along with a new hijackthis log.
Let me know how machine is running.
You will notice a slight system slowdown with Ewido installed. I recommend disabling the background guard since you already have Windows Defender running resident.
Open Ewido
On the "status" page beside "Resident Shield" click on "Change state".
It should turn RED indicating itis off.
You can leave the updater running for now if you wish.
Thanks
Quite a few nasties still; it will take a few tools to clean it all up.
Download Ewido from here and save it to the desktop:
http://www.ewido.net/en/download/
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
You should be told "Update successful"
Click "Scanner" icon at the top of the screen, then select the "Settings" tab
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the " Scan" tab then click on " Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select " Apply all actions"
Next select the " Reports" icon at the top.
Select the " Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Reboot the system and post the Ewido log along with a new hijackthis log.
Let me know how machine is running.
You will notice a slight system slowdown with Ewido installed. I recommend disabling the background guard since you already have Windows Defender running resident.
Open Ewido
On the "status" page beside "Resident Shield" click on "Change state".
It should turn RED indicating itis off.
You can leave the updater running for now if you wish.
Thanks
#6
Posted 26 September 2006 - 11:51 AM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
Thanks once again for the reply. I downloaded Ewido and ran it. It still hasn't gotten rid of the problem! Also, a while back, my Norton and Sound stopped starting up with the computer... I try to do autoprotect with Norton, but there must've been some spyware or a virus that makes that option not save and won't allow it to startup with the computer... soooo... anyway, here are the reports (one's attached, I couldn't attach the Hijackthis one)...
Logfile of HijackThis v1.99.1
Scan saved at 1:47:49 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:47:49 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Attached Files
-
Report_Scan_20060926_134303.txt 420.14KB
104 downloads
#7
Posted 26 September 2006 - 05:01 PM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hi
I don't know why but Ewido is not removing anything. Even cookies....
Little different approach.
Please go to add/remove programs and uninstall:
Viewpoint
VSToolbar
Reboot when done.
Download ATF Cleaner by Atribune and save it to your Desktop.
http://www.atribune..../click.php?id=1
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Cookies
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
Any sites you visit that require password you will need to "sigh in" again because we just deleted the cookies that remember you. I'm nuking your cookies because your scans show tons of "tracking cookies".
Logs should be shorter next time.
Next.....
Open Hijackthis
Run system scan only and check: (if present)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
Once checked; close all open windows and click "fix checked". keep Hijackthis open.
Now click "config" at lower right.
Click "Delete a file on reboot" button.
Paste this line into the popup box and hit "open":
C:\WINDOWS\system32\uhvjsul.dll
You will be asked if you want to reboot and if you are sure you want to delete file.
Say OK and let the machine reboot.
Once restarted....
Please post:
1.) New hijackthis log
2.) Uninstall list:
Open Hijackthis
Click "open misc tools options"
Click "open Uninstall manager"
Click "save list..."
Save the list someplace & post it here.
Next....
1. Download this file :
http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If firewall ask for it to connect to internet please allow. Tool may need to download additional files.
Do NOT run in safe mode!
Let me know if Norton autoprotect is still disabled and if you are able to turn it on.
Thanks
I don't know why but Ewido is not removing anything. Even cookies....
Little different approach.
Please go to add/remove programs and uninstall:
Viewpoint
VSToolbar
Reboot when done.
Download ATF Cleaner by Atribune and save it to your Desktop.
http://www.atribune..../click.php?id=1
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Cookies
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
Any sites you visit that require password you will need to "sigh in" again because we just deleted the cookies that remember you. I'm nuking your cookies because your scans show tons of "tracking cookies".
Logs should be shorter next time.
Next.....
Open Hijackthis
Run system scan only and check: (if present)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
O4 - HKCU\..\Run: [qzkf] C:\PROGRA~1\COMMON~1\qzkf\qzkfm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O17 - HKLM\System\CCS\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{224F620A-2AC0-442B-9EF3-F3012916A9A0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A8854-7C3E-47CF-970F-A041489F093A}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7759C8-688C-46D9-9165-EA0011C57FD8}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F8E37E-2A83-47D9-86CC-F3B0EDFEE3CE}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BA5E64-D83F-4D60-A536-D563621179C0}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS3\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{003F0771-C9E7-47D5-BECB-341984473C44}: NameServer = 85.255.113.131,85.255.112.74
Once checked; close all open windows and click "fix checked". keep Hijackthis open.
Now click "config" at lower right.
Click "Delete a file on reboot" button.
Paste this line into the popup box and hit "open":
C:\WINDOWS\system32\uhvjsul.dll
You will be asked if you want to reboot and if you are sure you want to delete file.
Say OK and let the machine reboot.
Once restarted....
Please post:
1.) New hijackthis log
2.) Uninstall list:
Open Hijackthis
Click "open misc tools options"
Click "open Uninstall manager"
Click "save list..."
Save the list someplace & post it here.
Next....
1. Download this file :
http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If firewall ask for it to connect to internet please allow. Tool may need to download additional files.
Do NOT run in safe mode!
Let me know if Norton autoprotect is still disabled and if you are able to turn it on.
Thanks
#8
Posted 26 September 2006 - 05:04 PM
Blender
-
- Member
-
- 187 posts
Malware Expert
Me again...
Forgot to add...Better print this out or save it to text file in case I broke your internet. You will need it for reference.
If I broke your internet after fixing the O17 lines in hijackthis; please check the following:
Reset your DNS servers
Blender
Forgot to add...Better print this out or save it to text file in case I broke your internet. You will need it for reference.
If I broke your internet after fixing the O17 lines in hijackthis; please check the following:
Reset your DNS servers
- Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
- Right-click the network connection that you want to configure, and then click Properties.
- On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
- If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically. (Recommended)
- If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.
Blender
#9
Posted 26 September 2006 - 05:14 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
Alright, I'll give it a try after I eat. Thanks so much for the responses man.
#10
Posted 26 September 2006 - 05:47 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
Ok... a couple of problems. When I went to go do the "delete a file on reboot", the program would just exit, and I thought maybe it would come up on reboot, so I rebooted, and nothing.. so then I just went on... I got a new Hijackthis log, but it seems to be the same minus what I deleted (posted below)... ummm, next was the uninstall log, I would click save list, but the program would once again disappear after that (unless it saves it somewhere automatically, then I don't know). K, so then I went to run combofix... this error
came up. It was obviously the combofix, but I just hit stop this script and ran the program. The program finished and came up with that same Norton error... but I've got the log (attached below).. and Norton is not working (as in the Auto-Protect). Haha, something really happened this time. I'm about to write zeros then reformat, etc... but I'd like to see if there is a solution first! There's gotta be!
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:55 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Also, that SUB error thing created two folders on my C drive... QOOOD (or something along those lines) and SUB... nothing was in the folders, but they were there
came up. It was obviously the combofix, but I just hit stop this script and ran the program. The program finished and came up with that same Norton error... but I've got the log (attached below).. and Norton is not working (as in the Auto-Protect). Haha, something really happened this time. I'm about to write zeros then reformat, etc... but I'd like to see if there is a solution first! There's gotta be!
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:55 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Also, that SUB error thing created two folders on my C drive... QOOOD (or something along those lines) and SUB... nothing was in the folders, but they were there
Attached Files
-
ComboFix.txt 10.89KB
157 downloads
Edited by Blind Melon, 26 September 2006 - 05:48 PM.
#11
Posted 26 September 2006 - 07:38 PM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hi
Those Norton script warnings you can allow for the fix. Those vbs files are being created by combofix to get certain registry info I need to see. Norton's script stopper flags every vbs file as bad. This one isnt.
You have Trojan Virtumonde (vundo). This is what is stopping you from saving uninstall list and stopping the delete on reboot fix. This has to go first before we move on. Vundo plays "tricks" with hijackthis.
Plan "B"
Please download
VundoFix.exe to your
desktop.
In this case, VundoFix will run on reboot, simply follow the above instructions starting
from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Please post:
New hijackthis log
Log from VundoFix
Try to get the uninstall list again please
Try Combofix again please and allow that c:\SUBs\enter.vbs to run. You may get more than one warning.
There will be more work to do.
Thanks
Those Norton script warnings you can allow for the fix. Those vbs files are being created by combofix to get certain registry info I need to see. Norton's script stopper flags every vbs file as bad. This one isnt.
You have Trojan Virtumonde (vundo). This is what is stopping you from saving uninstall list and stopping the delete on reboot fix. This has to go first before we move on. Vundo plays "tricks" with hijackthis.
Plan "B"
Please download
VundoFix.exe to your
desktop.
- Double-click VundoFix.exe to run it.
- If your security software asks about installing a service; please allow it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In this case, VundoFix will run on reboot, simply follow the above instructions starting
from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Please post:
New hijackthis log
Log from VundoFix
Try to get the uninstall list again please
Try Combofix again please and allow that c:\SUBs\enter.vbs to run. You may get more than one warning.
There will be more work to do.
Thanks
#12
Posted 26 September 2006 - 07:47 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
If you're up for posting how to fix this, I'm down for fixing it. I love to work on my computer, and usually I just resort to formatting, but this time, I want to try and figure it out... but of course I'm not really figuring it out, I'm just plugging in the commands, either way, I think this is a lot of fun.
***Logs coming soon... Vundo's still scanning and I see 4 files that it's found, so we shall see.
***Logs coming soon... Vundo's still scanning and I see 4 files that it's found, so we shall see.
Edited by Blind Melon, 26 September 2006 - 07:48 PM.
#13
Posted 26 September 2006 - 08:11 PM
Blind Melon
- Topic Starter
-
- Member
-
- 26 posts
Member
Okie dokie... things are working now (as in just the files that I can save, no progress on anything else, IE, Norton). All attached below. Do you want me to post them from now on, even if they are massive in text?
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:39 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {598E75E4-4377-4D4C-B9F8-D4FECD3ED10E} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\aufkwbri.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:39 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\AOL\1148743068\ee\aolsoftware.exe
c:\program files\common files\aol\1148743068\ee\aim6.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {598E75E4-4377-4D4C-B9F8-D4FECD3ED10E} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\aufkwbri.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129854887494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Attached Files
-
VundoFix.txt 1.25KB
146 downloads
-
ComboFix.txt 10.34KB
191 downloads
-
uninstall_list.txt 4.94KB
150 downloads
#14
Posted 26 September 2006 - 08:13 PM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hey;
I'm up to it if you are. You are doing fine.
If you run into issues during any of the steps; just let me know what they are. We'll work through em.
There is more than one way to rip these baddies out and I don't give up easy!
Looks like Vundofix is seeing the files ok. Should go better after that tool does its job.
I'll be back later tonight.
Keep up the good work
Blender
I'm up to it if you are. You are doing fine.
If you run into issues during any of the steps; just let me know what they are. We'll work through em.
There is more than one way to rip these baddies out and I don't give up easy!
Looks like Vundofix is seeing the files ok. Should go better after that tool does its job.
I'll be back later tonight.
Keep up the good work
Blender
#15
Posted 26 September 2006 - 10:16 PM
Blender
-
- Member
-
- 187 posts
Malware Expert
Hi
Looking better I think.
Few files I would like you to scan for me at Jotti or virus total.
http://virusscan.jotti.org/
http://www.virustotal.com/
C:\WINDOWS\MTUn1228.exe
C:\WINDOWS\system32\tfrcstog.exe
C:\Program Files\Common Files\Microsoft Shared\MSEnv\upd_manager.exe
Let me know results please.
Do you know what this program is listed in add/remove?:
URGE
If not...
Please go to Hijackthis uninstall manager, hilight the "Urge" entry, copy & paste what is in the "uninstall command" back here.
------------------
Onward to more fixing...
Start Hijackthis
Rin system scan only and check:
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {598E75E4-4377-4D4C-B9F8-D4FECD3ED10E} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\aufkwbri.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
Once checked; close all open windows except hijackthis and click "fix checked".
Exit Hijackthis and reboot.
Reveal Hidden Files
Find and delete if found the following:
C:\Documents and Settings\Jeff\Application Data\SearchToolbarCorp <--folder
C:\Program Files\Common Files\qzkf <--folder
C:\Program files\qzkf <--folder
C:\Program Files\VSToolbar <--folder
C:\Program Files\Viewpoint <--folder
Use your CCleaner to clean up your temporary files and recycle bin.
Reboot once more.
Please post:
New hijackthis log.
Info from Jotti
Let me know if you are still having problems with Norton, IE, etc.
Any logs unless Huge yes please post them into the thread. It is OK if you have to use 2 posts or more to get the logs in.
There is a "check post legnth" button you can use. It will tell you if it is too much.
Thanks
Looking better I think.
Few files I would like you to scan for me at Jotti or virus total.
http://virusscan.jotti.org/
http://www.virustotal.com/
C:\WINDOWS\MTUn1228.exe
C:\WINDOWS\system32\tfrcstog.exe
C:\Program Files\Common Files\Microsoft Shared\MSEnv\upd_manager.exe
Let me know results please.
Do you know what this program is listed in add/remove?:
URGE
If not...
Please go to Hijackthis uninstall manager, hilight the "Urge" entry, copy & paste what is in the "uninstall command" back here.
------------------
Onward to more fixing...
Start Hijackthis
Rin system scan only and check:
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {598E75E4-4377-4D4C-B9F8-D4FECD3ED10E} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\aufkwbri.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
Once checked; close all open windows except hijackthis and click "fix checked".
Exit Hijackthis and reboot.
Reveal Hidden Files
- Click Start.
- Open My Computer.
- SelectTools menu
- Click Folder Options.
- Select the View Tab.
- Select Show hidden files and foldersin the Hidden files and folders section.
- Uncheck Hide protected operating system files (recommended) option.
- Uncheck the Hide file extensions for known file types option.
- Click Yes.
- Click OK.
Find and delete if found the following:
C:\Documents and Settings\Jeff\Application Data\SearchToolbarCorp <--folder
C:\Program Files\Common Files\qzkf <--folder
C:\Program files\qzkf <--folder
C:\Program Files\VSToolbar <--folder
C:\Program Files\Viewpoint <--folder
Use your CCleaner to clean up your temporary files and recycle bin.
Reboot once more.
Please post:
New hijackthis log.
Info from Jotti
Let me know if you are still having problems with Norton, IE, etc.
Any logs unless Huge yes please post them into the thread. It is OK if you have to use 2 posts or more to get the logs in.
There is a "check post legnth" button you can use. It will tell you if it is too much.
Thanks
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
