Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Klone Virus...Virtumonde...


  • Please log in to reply

#1
N8Darb

N8Darb

    Member

  • Member
  • PipPip
  • 10 posts
I'm at the end of my rope here...and I have never done a forum like this, so I apologize if I'm not doing this right or in the right place or posting the right things. I did read everything and ran every app you guys suggested until 4am last night and the worst thing is that I now have a new problem on my hand,
when I boot up my box, it just sits there...I have to manually run a task from task manager to run explorer.exe (So now none of my malware software is running...I'm being infected as we speak)

Known Issues:
ki1) When I boot up my box, it just sits there (because of "d5" below)
ki2) I continue to get a popup from "s5" that says "Found problem: Virtumonde" (it says it removes it though)
ki3) I contiue to get a popup from AVG "s1" that says "Klone Virus found" and I always move it to the vault, but it's always called comething different.

Virus/Malware Software that I have been using:
s1) AVG
s2) SpywareBlaster
s3) SBS&D
s4) Ad-Aware SE
s5) Spyware Doctor (On a 30 day trial)
s6) Registry Mechanic

Here's what I have done so far:
d1) Ran ATF Cleaner
d2) Made a restore point and cleared out old ones
d3) Ran Ad-Aware SE
d4) Booted to SAFE mode and ran AVG Anti-Spyware (You call it "ewido" I assume) (Logs Below)
d5) Booted back to Normal (This is when "ki1" happened)
d6) Ran the "Online - Panda Activescan" (Logs Below)
d7) Ran Hijack-This (Logs Below)


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:24:21 AM 10/28/2006

+ Scan result:

E:\Documents and Settings\ndarby\Local Settings\Temp\10498.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\10904.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\11064.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\11482.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\11504.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\11649.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\12333.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\12594.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\12608.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\12787.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\13671.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\13712.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\13985.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\14352.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\14383.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\14521.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\14836.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\15130.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\15535.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\15709.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\16201.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\16706.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\1736.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\17983.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\1827.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\19861.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\20046.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\22277.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\23324.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\23379.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\23446.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\23886.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\24270.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\2432.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\24392.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\25247.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\25748.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\25940.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\26430.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\26432.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\26562.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\26584.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\27428.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\28584.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\28741.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\29600.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\29933.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30034.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30277.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30381.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30467.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30567.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\30935.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\31087.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\31890.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\31969.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\32019.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\3548.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\3947.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\4005.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\5565.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\5928.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\6058.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\6258.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\66.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\6813.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\7683.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\8161.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\8603.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\9130.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\9231.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\9463.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\9626.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Local Settings\Temp\9854.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{8E9D16E5-8858-41AF-B0A2-A9129A39D122}\RP379\A0013615.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{8E9D16E5-8858-41AF-B0A2-A9129A39D122}\RP393\A0013785.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{8E9D16E5-8858-41AF-B0A2-A9129A39D122}\RP395\A0013840.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\WINDOWS\system32\pdr.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{8E9D16E5-8858-41AF-B0A2-A9129A39D122}\RP394\A0013827.exe -> Downloader.PurityScan.an : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\cpylvygk.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\jgnskwai.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\kxdjqicq.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\mpdnifjy.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\oatbncle.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\oeseluru.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\ndarby\Local Settings\Temp\wteddqid.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Program Files\RealVNC\VNC4\vncconfig.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4 : Cleaned with backup (quarantined).
C:\Program Files\RealVNC\VNC4\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4 : Cleaned with backup (quarantined).
C:\Program Files\RealVNC\VNC4\wm_hooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4 : Cleaned with backup (quarantined).
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Admarketplace : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
E:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Web-stat : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


---------------------------------------------------------
Online - Panda Activescan
---------------------------------------------------------
Incident Status Location

Possible Virus. Not disinfected C:\Documents and Settings\ndarby\Desktop\AnyDVD\Anydvd4.5.7 (w-crack).zip[b-any21.zip][anydvd.exe]
Possible Virus. Not disinfected C:\Documents and Settings\ndarby\Desktop\AnyDVD\b-any21.zip[anydvd.exe]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fojpjubj.exe
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\kkneexxd.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ouvnxwgt.exe
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Azjmp Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Banner Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt
Spyware:Cookie/Cassava Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt
Spyware:Cookie/ErrorSafe Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Screensavers Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/OfferOptimizer Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Rn11 Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Target Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][2].txt
Spyware:Cookie/seeqA Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected E:\Documents and Settings\ndarby\Cookies\[email protected][1].txt
Spyware:Cookie/Banner Not disinfected E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/360i Not disinfected E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Target Not disinfected E:\Documents and Settings\ndarby\Local Settings\Temp\Cookies\[email protected][2].txt
Adware:Adware/PurityScan Not disinfected E:\WINDOWS\system32\?ti2evxx.exe

---------------------------------------------------------
Hijack This
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:39:09 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Tanagra\Memeo\MemeoService.exe
D:\Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ndarby\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = N8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaManager] D:\Verizon\Media Manager\MediaManager.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Acrobat\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Memeo Launcher.lnk = C:\Program Files\Tanagra\Memeo\MemeoLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Acrobat\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133389204727
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Memeo (BMUService) - Memeo - C:\Program Files\Tanagra\Memeo\MemeoService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Regards,
  • 0

#3
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Looks like it cleaned up some stuff. Thanks.
Anything else you want me to do?

---------------------------------------------------
VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:14:05 PM 11/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\jexuxvi.dll
C:\WINDOWS\system32\kkneexxd.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\fojpjubj.exe
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jexuxvi.dll
C:\WINDOWS\system32\jexuxvi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kkneexxd.dll
C:\WINDOWS\system32\kkneexxd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\rqtss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\fojpjubj.exe
C:\WINDOWS\system32\fojpjubj.exe Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log and a new HijackThis log please.
  • 0

#5
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix Log
--------------------------------------------------------------------------------------------------------------------

ndarby - 06-11-08 18:53:25.68 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\ndarby\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{C4D253D3-0647-1033-0408-050315040001}


((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-07 21:35 21,312 --a------ C:\WINDOWS\choice.exe
2006-10-31 22:41 60,436 --a------ C:\WINDOWS\system32\qcyeeaqr.dll
2006-10-31 22:41 118,804 --a------ C:\WINDOWS\system32\etluwqwj.dll
2006-10-30 22:41 110,612 --a------ C:\WINDOWS\system32\wsdtxefj.exe
2006-10-28 01:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 23:33 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-27 23:33 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-20 10:54 67,604 --a------ C:\WINDOWS\system32\ouvnxwgt.exe
2006-10-19 00:35 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 18:53 -------- d-------- C:\Program Files\Common Files
2006-11-04 09:59 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-30 22:41 -------- d-------- C:\Program Files\VSAdd-in
2006-10-30 22:41 -------- d-------- C:\Documents and Settings\ndarby\Application Data\SearchToolbarCorp
2006-10-29 22:42 -------- d-------- C:\Documents and Settings\ndarby\Application Data\Snapfish
2006-10-28 02:43 -------- d-------- C:\Program Files\QuickTime
2006-10-28 02:41 -------- d-------- C:\Program Files\Messenger
2006-10-28 02:41 -------- d-------- C:\Program Files\Internet Explorer
2006-10-28 02:40 -------- d-------- C:\Program Files\D-Tools
2006-10-28 02:39 -------- d-------- C:\Program Files\BHODemon 2
2006-10-28 01:06 -------- d-------- C:\Program Files\Grisoft
2006-10-27 23:33 -------- d-------- C:\Documents and Settings\ndarby\Application Data\PC Tools
2006-10-26 19:25 -------- d-------- C:\Documents and Settings\ndarby\Application Data\Verizon
2006-10-22 10:47 -------- d-------- C:\Program Files\Lavasoft
2006-10-22 10:47 -------- d-------- C:\Documents and Settings\ndarby\Application Data\Lavasoft
2006-10-19 00:50 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-28 22:19 286720 --a------ C:\WINDOWS\iun507.exe
2006-09-28 22:19 -------- d-------- C:\Program Files\RescuePRO
2006-09-26 22:46 94720 --a------ C:\WINDOWS\system32\xlpikhe.dll
2006-09-26 03:12 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-19 19:57 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:56 -------- d-------- C:\Program Files\Yahoo!
2006-09-12 21:54 -------- d-------- C:\Program Files\InterVideo
2006-09-12 21:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 21:25 -------- d-------- C:\Program Files\Adobe
2006-09-12 21:25 -------- d-------- C:\Documents and Settings\ndarby\Application Data\Leadertech
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"iTunesHelper"="\"D:\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-08 18:54:10.48
C:\ComboFix.txt ... 06-11-08 18:54
  • 0

#6
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
---------------------------------------------------------
Hijack This
---------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:57:16 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Tanagra\Memeo\MemeoService.exe
D:\Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Acrobat\Reader\reader_sl.exe
D:\Bluetooth\BTTray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Tanagra\Memeo\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ndarby\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = N8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6158B14E-6049-4C88-AAFF-4C6404713582} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\qcyeeaqr.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Memeo Launcher.lnk = C:\Program Files\Tanagra\Memeo\MemeoLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Acrobat\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133389204727
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Memeo (BMUService) - Memeo - C:\Program Files\Tanagra\Memeo\MemeoService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#7
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Not sure what the ComboFox did, but the info you asked for is above - Thanks
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
OK. We're on our way to clean. :whistling:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\xlpikhe.dll
    C:\Program Files\VSAdd-in\VSAdd-in.dll
    C:\WINDOWS\system32\qcyeeaqr.dll
    C:\WINDOWS\system32\etluwqwj.dll
    C:\WINDOWS\system32\wsdtxefj.exe
    C:\WINDOWS\system32\ouvnxwgt.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot run HijackThis and put a checkmark before the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {6158B14E-6049-4C88-AAFF-4C6404713582} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\qcyeeaqr.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll


Then click Fix checked. Allow the changes should you be prompted by BHODemon or Spybot S&D.

Then reboot again and post a new HijackThis log

Regards,
  • 0

#9
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:02:45 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Tanagra\Memeo\MemeoService.exe
D:\Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
D:\Acrobat\Reader\reader_sl.exe
D:\Bluetooth\BTTray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Tanagra\Memeo\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ndarby\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = N8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Memeo Launcher.lnk = C:\Program Files\Tanagra\Memeo\MemeoLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Acrobat\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133389204727
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Memeo (BMUService) - Memeo - C:\Program Files\Tanagra\Memeo\MemeoService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
The log looks clean. :whistling:

How is the computer behaving?

Regards,
  • 0

#11
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Above is the new HackThis log.

Everything went great running the prior KillBox instructions, but I noticed that when I checked the KillBox log, only 5 items were marked for deletion.

(And the wierd thing is that one it missed was in the middle of the the list of 6)

------------------------------------------------------------------------------------------

Pocket Killbox version 2.0.0.648
Running on Windows XP as ndarby(Administrator)
was started @ Thursday, November 09, 2006, 7:51 AM

Killbox Closed(Exit) @ 7:52:53 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as ndarby(Administrator)
was started @ Thursday, November 09, 2006, 7:52 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\xlpikhe.dll


# 2 [Delete on Reboot]
Path = C:\Program Files\VSAdd-in\VSAdd-in.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\etluwqwj.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\wsdtxefj.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\ouvnxwgt.exe


I Rebooted @ 7:53:53 AM
Killbox Closed(Exit) @ 7:53:56 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as ndarby(Administrator)
was started @ Thursday, November 09, 2006, 8:06 AM

Killbox Closed(Exit) @ 8:07:31 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as ndarby(Administrator)
was started @ Thursday, November 09, 2006, 8:07 AM

Edited by N8Darb, 09 November 2006 - 08:18 AM.

  • 0

#12
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It may be to soon to say that all is clear, but the pop-ups have stopped and I don't see that virtumonde message every 10 seconds.

And the issue with having to run the Explorer.exe as a task on startup has gone away...as everything loads by itself as it should.

Mr. Metallica...you may have done it!!!

You can see the list of Software that I run at the top of the thread...anything else you would suggest?

Thanks a TON!!!
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
To be on the safe side, can you check if this file is really gone?
(I think HijackThis will have removed it)
C:\WINDOWS\system32\qcyeeaqr.dll

Nothing wrong with the software you are running.
But I do think there are some things you can improve.
A good firewall that gives you more control would be my first choice.

Also have a look at my site about removing and preventing spyware.

Regards,
  • 0

#14
N8Darb

N8Darb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
The qcyeeaqr.dll is not in my Sys32 folder, so I'm assuming that's a good thing.

Thanks for all your help on this, I hope this is the last time you hear from me.

I truly appreciate your time and advice.
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,940 posts
My pleasure. :whistling:

Glad we could help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP