Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pls help remove spyware

Started by scouter , Nov 30 2006 09:19 AM

  • Please log in to reply

#1
scouter
Posted 30 November 2006 - 09:19 AM

scouter

    New Member

  • Member
  • Pip
  • 5 posts
So I've been having some problems with some malware these past couple of days, I've tried everything, I even have all of the programs listed in here and I did em all in safe mode.

So far there haven't been a lot of pop ups but I've been experiencing some crashing, every two minutes (I think exactly) my computer restarts by itself and so far it's just been today that I've had that problem. Also every time I use all these programs they seem to come back after rebooting the computer so they're never really gone. I've used spybot S&D, Ad-Aware, AVG, basically all the stuff that you guys (and my friends) recommended. And yes I've deleted the others when I used AVG so it doesnt interfere, I did everything said other than hijack and the panda active scan so here's the logs.

Hijack

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.078\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\DOCUME~1\Admin\LOCALS~1\Temp\A79.tmp
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135730694125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164897248703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants...e/iceplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Admin\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\systcl.dll
O21 - SSODL: sKcZhEY - {2C1AAD39-86B0-0793-23A2-8AC25FA3596E} - C:\WINDOWS\system32\lwepkm.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE


activescan


Incident Status Location

Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Possible Virus. Not disinfected C:\BEN\MSOCache\All Users\90840409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.questionmarket.com/]
Possible Virus. Not disinfected C:\Documents and Settings\Admin\Application Data\?ystem32\wucrtupd.exe
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Admin\Cookies\admin@questionmarket[1].txt
Possible Virus. Renamed C:\Documents and Settings\Admin\My Documents\?icrosoft\r?ndll_exe.vir
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe
Possible Virus. Not disinfected C:\Program Files\Silkroad\GameGuard\NPSCAN.DES
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\dpmmtjfg.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\hpqsjecq.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\igjochag.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ihwcjyli.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\ipv6monl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lpfdllfo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nxufgkjb.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\rgnecjgb.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\tmp_x.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vqgaccsy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\whftxwmb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wtrfjqhu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xkqcnatc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xpnoacxb.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\yorsjasu.dll
  • 0

Advertisements

#2
scouter
Posted 30 November 2006 - 10:45 AM

scouter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
also this might factor in somehow but when I use safe mode I use it with networking because when I use just safe mode it doesn't load at all and is just a blank screen. So either that could mean nothing at all or could be a reason why my computer is getting worse.
  • 0

#3
scouter
Posted 01 December 2006 - 12:04 PM

scouter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I guess no help here? The computer stopped restarting by itself but now it seems like there's a ton of pop ups now, AVG isn't coming up with anything now either
  • 0

#4
Flrman1
Posted 02 December 2006 - 04:46 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi scouter

Welcome to GTG! :whistling:

Sorry for the delay in response. If you still need help with this, please do the following:

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan


* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

Edited by Flrman1, 02 December 2006 - 04:46 PM.

  • 0

#5
Flrman1
Posted 02 December 2006 - 04:48 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Sorry, but I just noticed that you have Hijack This in a Temp folder.

Before we can use Hijack This to fix anything, I need you to download it again. Right now you have it in a temporary folder. It will not function properly that way. Please redownload it like so:

Please do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

*** Before you post those logs, please run the Activescan as requested then come back here and post the new Hijack This log with it downloaded properly and the Uninstall list.
  • 0

#6
scouter
Posted 03 December 2006 - 06:26 AM

scouter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here's the hijack.

Logfile of HijackThis v1.99.1
Scan saved at 3:14:45 AM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\DOCUME~1\Admin\LOCALS~1\Temp\A79.tmp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135730694125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164897248703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants...e/iceplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Admin\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\systcl.dll
O21 - SSODL: sKcZhEY - {2C1AAD39-86B0-0793-23A2-8AC25FA3596E} - C:\WINDOWS\system32\lwepkm.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE


here's the uninstall list

Adobe Acrobat 6.0 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
AIM+ (remove only)
AOL Instant Messenger
AVG Anti-Spyware 7.5
Business Card Designer Plus 8.5.1.0
CCleaner (remove only)
Combined Community Codec Pack 2005-12-21 (Remove Only)
DVD Shrink 3.2
EPSON Printer Software
EPSON Scan
FoneSync
Google Earth
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
Hollywood FX 5.5 Additional Effects
Hotfix for Windows XP (KB914440)
IGN Download Manager 2.2.2
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Kazaa Lite K++ v2.4.3
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Macromedia Shockwave Player
MagicTune3.6
Microsoft Office PowerPoint Viewer 2003
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (1.5.0.8)
Natural Color
Nero 7 Premium
NVIDIA Drivers
OIN
Opera 9.02
Panda ActiveScan
Pinnacle Hollywood FX for Studio
QuickTime
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB925486)
SmartSound Quicktracks Plugin
Spybot - Search & Destroy 1.4
SSH Secure Shell
Steam™
Studio 9
Studio 9 Content CD/DVD
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Ventrilo Client
Ventrilo Server
Viewpoint Manager (Remove Only)
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar



here's the ActiveScan

Incident Status Location

Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Possible Virus. Not disinfected C:\BEN\MSOCache\All Users\90840409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\w8c7039g.default\cookies.txt[.adrevolver.com/]
Possible Virus. Not disinfected C:\Documents and Settings\Admin\Application Data\?ystem32\wucrtupd.exe
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Admin\Cookies\admin@drivecleaner[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Admin\Cookies\admin@realmedia[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
Possible Virus. Renamed C:\Documents and Settings\Admin\My Documents\?icrosoft\r?ndll_exe.vir
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe
Possible Virus. Not disinfected C:\Program Files\Silkroad\GameGuard\NPSCAN.DES
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSAdd-in\VSAdd-in.dll
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\system32\dlh9jkd1q2.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\dpmmtjfg.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\flamoksa.dll
Virus:Trj/Alanchum.MA Disinfected C:\WINDOWS\system32\google.png.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\grutblaq.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\hpqsjecq.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\igjochag.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ihwcjyli.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\ipv6monl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\iugviuau.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lpfdllfo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nxufgkjb.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\rgnecjgb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rxipfvhg.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\tmp_x.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vqgaccsy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\whftxwmb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wtrfjqhu.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\wwkfalqq.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xkqcnatc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xpnoacxb.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\yorsjasu.dll
  • 0

#7
Flrman1
Posted 03 December 2006 - 12:49 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go to Add/Remove programs and uninstall these:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
OIN
Viewpoint Manager (Remove Only)


* Now go here and install the latest version of Java.


* Click here to download OiUninstaller.exe and save it to your desktop.

Click on the OiUninstaller.exe then follow the prompts from there.


* Click here to download VundoFix.exe and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#8
scouter
Posted 04 December 2006 - 02:45 AM

scouter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
there's some errors that pop up once in a while especially right after I open firefox. One of the errors says something like thread in driver or something like that. Another error is Multiple IRP something something, sorry I can't be more specific. Another error just simply states that it an error happened and doesn't tell which one.



here's the txt of the vundo.



VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.9

Scan started at 12:16:04 AM 12/4/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.tmp
C:\WINDOWS\system32\prqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.9

Scan started at 12:25:09 AM 12/4/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqrp.dll

Beginning removal...

Performing Repairs to the registry.
Done!
  • 0

#9
Flrman1
Posted 04 December 2006 - 06:14 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
The only suggestion that I can give for Firefox is to try uninstalling then reinstalling it. I am not a Firefox user.

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP