Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Logger.VBStat.e/winantiviruspro

Started by Aor , Oct 03 2006 04:35 AM

Please log in to reply

#1
Aor

Posted 03 October 2006 - 04:35 AM

New Member

Member
8 posts

I have succesfully all the other crap from my computer, but Logger.VBStat.e keeps coming back for more, oh and i cant get rid of the winantivirus popups.

I have done the general removal step thingys, the only thing i cant get is the above mentioned two.

Thanks for your help

#2
loophole

Posted 03 October 2006 - 04:38 AM

Malware Expert

Retired Staff
9,798 posts

Hi

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

#3
Aor

Posted 03 October 2006 - 04:41 AM

New Member

Topic Starter
Member
8 posts

Thanks for your lightning fast reply loophole.

Here is the requested HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:40:25 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Winamp\winamp.exe
D:\Sierra\Steam\Steam.exe
F:\Program Files\Mozilla Firefox\firefox.exe
D:\Farken Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WatchWAN] F:\Program Files\WatchWAN\WatchWAN.exe
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{989F8B73-12AE-4719-8F71-594ED0F9B63A}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F190C7A0-25DF-4D5B-A13C-F483629B69CC}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

The formatting looks a bit queer to me sorry if i have not posted as is preferred

#4
Aor

Posted 03 October 2006 - 05:22 AM

New Member

Topic Starter
Member
8 posts

I think this one might be a bit more useful....
Did it with the Hijackthis app renamed...

Logfile of HijackThis v1.99.1
Scan saved at 10:12:35 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Winamp\winamp.exe
D:\Sierra\Steam\Steam.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\wuauclt.exe
D:\Farken Spyware\Cheese sticks.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {80CDA0D8-B627-4BC0-A8A2-46ACB2D46505} - F:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {A7A1375A-4C57-4A6E-8D2D-06FEF1682BBE} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - F:\WINDOWS\system32\vuxyctbp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WatchWAN] F:\Program Files\WatchWAN\WatchWAN.exe
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{989F8B73-12AE-4719-8F71-594ED0F9B63A}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F190C7A0-25DF-4D5B-A13C-F483629B69CC}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mljgf - F:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

im not liking

O2 - BHO: (no name) - {80CDA0D8-B627-4BC0-A8A2-46ACB2D46505} - F:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {A7A1375A-4C57-4A6E-8D2D-06FEF1682BBE} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} -F:\WINDOWS\system32\vuxyctbp.dll (file missing)

O20 - Winlogon Notify: mljgf - F:\WINDOWS\system32\mljgf.dll

#5
loophole

Posted 03 October 2006 - 05:58 AM

Malware Expert

Retired Staff
9,798 posts

\Cheese sticks.exe

im not liking

O2 - BHO: (no name) - {80CDA0D8-B627-4BC0-A8A2-46ACB2D46505} - F:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {A7A1375A-4C57-4A6E-8D2D-06FEF1682BBE} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} -F:\WINDOWS\system32\vuxyctbp.dll (file missing)

Me neither :whistling:

Lets see if vundo fix will detect the Vundo thats present

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Edited by loophole, 03 October 2006 - 05:59 AM.

#6
Aor

Posted 03 October 2006 - 06:19 AM

New Member

Topic Starter
Member
8 posts

Here is the VundoFix logfile

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 11:04:48 PM 10/3/2006

Listing files found while scanning....

F:\WINDOWS\system32\mljgf.dll
F:\WINDOWS\system32\fgjlm.ini
F:\WINDOWS\system32\fgjlm.bak1
F:\WINDOWS\system32\fgjlm.bak2

Beginning removal...

Attempting to delete F:\WINDOWS\system32\mljgf.dll
F:\WINDOWS\system32\mljgf.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\fgjlm.ini
F:\WINDOWS\system32\fgjlm.ini Has been deleted!

Attempting to delete F:\WINDOWS\system32\fgjlm.bak1
F:\WINDOWS\system32\fgjlm.bak1 Has been deleted!

Attempting to delete F:\WINDOWS\system32\fgjlm.bak2
F:\WINDOWS\system32\fgjlm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 11:10:25 PM 10/3/2006

Listing files found while scanning....

F:\WINDOWS\system32\mljgf.dll

Beginning removal...

Attempting to delete F:\WINDOWS\system32\mljgf.dll
F:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

And the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:19:36 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Messenger\msmsgs.exe
D:\Farken Spyware\Cheese sticks.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {80CDA0D8-B627-4BC0-A8A2-46ACB2D46505} - F:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {A7A1375A-4C57-4A6E-8D2D-06FEF1682BBE} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - F:\WINDOWS\system32\vuxyctbp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WatchWAN] F:\Program Files\WatchWAN\WatchWAN.exe
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{989F8B73-12AE-4719-8F71-594ED0F9B63A}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F190C7A0-25DF-4D5B-A13C-F483629B69CC}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

No pop ups as yet, but what about the VBStat thing?

#7
loophole

Posted 03 October 2006 - 06:38 AM

Malware Expert

Retired Staff
9,798 posts

No pop ups as yet, but what about the VBStat thing?

I think thats what we just removed. Its hard to tell because all the anti-virus companies seem to have different names for all the viruses. Lets continue and you can rescan a little later and see if its still detected

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {80CDA0D8-B627-4BC0-A8A2-46ACB2D46505} - F:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {A7A1375A-4C57-4A6E-8D2D-06FEF1682BBE} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - F:\WINDOWS\system32\vuxyctbp.dll (file
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#8
Aor

Posted 03 October 2006 - 06:44 AM

New Member

Topic Starter
Member
8 posts

Heres the combofix logfile:

Sam - 06-10-03 23:42:17.29 Service Pack 2
ComboFix 06.09.28 - Running from: "F:\Documents and Settings\Sam\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))

2006-09-26 20:53 143,380 --a------ F:\WINDOWS\system32\fyveiucj.exe
2006-09-11 00:53 91,904 --a------ F:\WINDOWS\system32\S32EVNT1.DLL
2006-09-11 00:53 123,248 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.SYS

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-03 23:17 -------- d-------- F:\Program Files\Mozilla Firefox
2006-10-03 23:16 -------- d-------- F:\Program Files\Common Files
2006-10-03 01:14 -------- d-------- F:\Program Files\ewido anti-spyware 4.0
2006-10-01 23:42 -------- d-------- F:\Program Files\Windows Defender
2006-10-01 23:42 -------- d-------- F:\Program Files\Microsoft AntiSpyware
2006-10-01 23:42 -------- d-------- F:\Program Files\Common Files\Microsoft Shared
2006-09-23 23:20 -------- d-------- F:\Documents and Settings\Sam\Application Data\Symantec
2006-09-11 01:58 -------- d-------- F:\Program Files\DivX
2006-09-11 01:29 -------- d-------- F:\Documents and Settings\Sam\Application Data\Mozilla
2006-09-11 01:08 -------- d-------- F:\Program Files\Internet Explorer
2006-09-11 01:01 -------- d-------- F:\Program Files\Norton AntiVirus
2006-09-11 01:01 -------- d-------- F:\Program Files\Common Files\Symantec Shared
2006-09-11 01:00 -------- d-------- F:\Program Files\Symantec
2006-09-11 00:59 -------- d-------- F:\Program Files\SymNetDrv
2006-09-11 00:51 -------- d-------- F:\Program Files\Google
2006-09-10 22:28 -------- d-------- F:\Program Files\Lavasoft
2006-09-10 22:28 -------- d-------- F:\Documents and Settings\Sam\Application Data\Lavasoft
2006-09-02 03:37 -------- d-------- F:\Program Files\XP Codec Pack
2006-09-01 17:42 43520 --a------ F:\WINDOWS\system32\CmdLineExt03.dll
2006-08-27 00:50 -------- d-------- F:\Documents and Settings\Sam\Application Data\AdobeUM
2006-08-22 23:07 -------- d-------- F:\Program Files\Zone Labs
2006-08-21 23:21 16896 --a------ F:\WINDOWS\system32\fltlib.dll
2006-08-21 20:14 23040 --a------ F:\WINDOWS\system32\fltmc.exe
2006-08-21 20:14 128896 --------- F:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 04:35 520192 --a------ F:\WINDOWS\system32\DivXsm.exe
2006-08-12 04:35 3596288 --a------ F:\WINDOWS\system32\qt-dx331.dll
2006-08-12 04:35 200704 --a------ F:\WINDOWS\system32\ssldivx.dll
2006-08-12 04:35 1044480 --a------ F:\WINDOWS\system32\libdivx.dll
2006-08-12 04:31 778240 --a------ F:\WINDOWS\system32\divx_xx0c.dll
2006-08-12 04:31 778240 --a------ F:\WINDOWS\system32\divx_xx07.dll
2006-08-12 04:31 761856 --a------ F:\WINDOWS\system32\divx_xx11.dll
2006-08-12 04:31 73728 --a------ F:\WINDOWS\system32\dpl100.dll
2006-08-12 04:31 620180 --a------ F:\WINDOWS\system32\DivX.dll
2006-08-12 04:31 593920 --a------ F:\WINDOWS\system32\dpuGUI11.dll
2006-08-12 04:31 57344 --a------ F:\WINDOWS\system32\dpv11.dll
2006-08-12 04:31 53248 --a------ F:\WINDOWS\system32\dpuGUI10.dll
2006-08-12 04:31 344064 --a------ F:\WINDOWS\system32\dpus11.dll
2006-08-12 04:31 294912 --a------ F:\WINDOWS\system32\dpu11.dll
2006-08-12 04:31 294912 --a------ F:\WINDOWS\system32\dpu10.dll
2006-08-12 04:31 196608 --a------ F:\WINDOWS\system32\dtu100.dll
2006-08-12 04:31 12288 --a------ F:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-12 04:31 118784 --a------ F:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-08-09 11:38 16384 --a------ F:\WINDOWS\system32\ac3config.exe
2006-07-28 00:24 679424 --a------ F:\WINDOWS\system32\inetcomm.dll
2006-07-27 13:05 109568 --------- F:\WINDOWS\system32\pxinsi64.exe
2006-07-27 13:05 108544 --------- F:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 19:24 72704 --a------ F:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"F:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Steam"=""
"WatchWAN"="F:\\Program Files\\WatchWAN\\WatchWAN.exe"
"updateMgr"="\"F:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"swg"="F:\\Program Files\\Google\\GoogleToolbarNotifier\\1.1.720.5674\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE F:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE F:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"F:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"WinampAgent"="F:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="F:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Windows Defender"="\"F:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"F:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Zone Labs Client"="\"F:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\MP Scheduled Scan.job
F:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Sam.job

Completion time: Tue 10/03/2006 23:42:59.87
ComboFix.txt

Still no popups tho :whistling:

#9
loophole

Posted 03 October 2006 - 01:00 PM

Malware Expert

Retired Staff
9,798 posts

That looks pretty clean :whistling:

Browse for and delete this file F:\WINDOWS\system32\fyveiucj.exe

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Let me know how everything goes and please post a final hijack log for me

Thanks

#10
Aor

Posted 03 October 2006 - 06:33 PM

New Member

Topic Starter
Member
8 posts

OK did the java stuff, I was already updated to the latest version....

Heres the HJT log, btw ewido (which used to find the VBStat) doesnt find anything except the odd tracking cookie here and there. And Ive got no popups and cant find anything wrong anymore....

Logfile of HijackThis v1.99.1
Scan saved at 11:34:08 AM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\cscript.exe
F:\WINDOWS\system32\cscript.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Winamp\winamp.exe
D:\Sierra\Steam\Steam.exe
D:\Farken Spyware\Cheese sticks.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WatchWAN] F:\Program Files\WatchWAN\WatchWAN.exe
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{989F8B73-12AE-4719-8F71-594ED0F9B63A}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F190C7A0-25DF-4D5B-A13C-F483629B69CC}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

Thanks for your help matey

#11
loophole

Posted 04 October 2006 - 11:45 AM

Malware Expert

Retired Staff
9,798 posts

Your log looks good

You can check and fix these with Hijack if you wish

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Otherwise I think you are good to go :whistling:

let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

#12
Aor

Posted 04 October 2006 - 09:31 PM

New Member

Topic Starter
Member
8 posts

Lol, My system restore is never coming back online, not after the viscious raping and pillaging i did to my system vol info folders. I shall begin the story about 3 weeks ago, when I began getting those goddamn popups.....

It all started with a certain file that I had a fair idea would be pretty likely to be infected. Little did I know it would be completely bogus and contain nothing it had promised..... I knew it was really bad little [bleep] when I ran it (exe file) and it disappeared from the desktop, then 3 new processes show up in WTM.... This was then followed by a long string of profanity.

And such begins my battle against the evil spyware. I started by scanning with adware, the result of this was that it would find several dll files with random names in the windows/system32 folder, but would never finish the scan, the computer would shutdown before it would finish (expanding on this a bit, I tried it in safe mode, but it would restart after 3mins and 30secs... yes i timed it and yes it was that time everytime). So after finding this delightful situation, I decided if adware couldnt do it for me I would go and do it myself.... so I did, I explored the system32 folder with admin privs and set to see everything and i just sorted by modified date, then deleted all the dll's mod past a certain date.

Now, I might mention now my computer did not love this much. When I restarted I couldnt log in, I kept being told my product was not activated (which it was) and for some reason my internet wouldnt work for it, so after a call to the microsoft computers I was back in buisness.

This time I wouldnt get force restarted and hence could finish my scans etc etc. So I did a few scans and adware wasnt removing it, so I d/l the google pack (only the norton part) and scanned with nortons. It found files in the Sys vol info folders which it couldnt delete, it also found fieles in the prefetch and temp folders oh yeah and few more lucky ones lurking in varioud parts of the system folder.

I looked up how to turn of system restore etc etc so that nortons could clean my infections, but when i tried to deactivate system restore i recieved an error saying that It couldnt be stopped on several of my hdd's so it didnt even try. This really annoyed me. So I found out how to do it manually (lucky my safe mode was working now) and after some safe mode loving and some registry changes I could now get access to my sys vol info folders. But still Nortons couldnt delete the files for some reason. So once again it was the manual removal process, but this time i had less patience, so i just deleted everything out of my sys vol info folders :blink:

yeah, my computer didnt love it for a while, but its pulled through.

That got rid of everything except the winantivirus popups and the VBStat (which I didnt know i had until i got ewido) it probably also got rid of a few things I need :whistling:

oh well, windows still runs so I dont care. But the point of the story is my system restore cant be turned back on, Ive tried and it just cant start lol, its greyed out in the Mycomputer properties. But thats alright because I dont want system restore. Anyway mate, thanks for your help and all I wouldnt have got those last few things off without ya. BTW, what are those 2 things checked from HJT? and the results seem to be all good, havent had a popup since the cleaning, and nothing can find anything except a few tracking cookies (which is bound to happen really).

#13
Aor

Posted 04 October 2006 - 09:38 PM

New Member

Topic Starter
Member
8 posts

Sorry I forgot to put this in the last reply....

My computer Is behind a router which has some form of firewall in it, and on my computer Im running Windows Defender, Ewido, Spybot S & D, Nortons, Zone Alarm and Adware. Oh yeah, and as part of rape and pillage program I removed IE from my computer (never liked it anyway) I now use firefox and I try to keep java and cookies off entirley, but alot of sites need them. So I like to imagine my computers pretty secure, there was a point there (somewhere after the long string of profanity) where I decided i was never using windows again, and that id just boot in linux next time. I decided against it, after the fun time I had merely trying to get all peripherals working on another computer, let alone games everything else on this computer.

Once thanks for the help

#14
loophole

Posted 04 October 2006 - 09:41 PM

Malware Expert

Retired Staff
9,798 posts

Thanks for the story, and people say that windows is unstable. Look what you put it through :blink:

Those two items were just empty registry items, not malware

If you had an xp disk you could probably fix those problem If you wanted to even try. But it sounds like your happy enough :whistling:

Edited by loophole, 04 October 2006 - 09:42 PM.