Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MSN Virus, wont let me do a HJT scan [Resolved]


  • This topic is locked This topic is locked

#1
lyonsb

lyonsb

    Member

  • Member
  • PipPip
  • 20 posts
Hi, please help me. I was on msn messenger earlier, and one of my contacts sent me a link, it looked something like:

emo...(and the website looked like a profile page, with my msn account address at the end of the link)

this virus will not let me open MSConfig, it opens and closes within about 5 seconds, it will not let me open Internet Explorer (im currently using Firefox). It also wont let me run HJT. When I open the program, it runs for about 5 seconds, then the desktop disappears, and then comes back within about 10seconds with HJT closed.

I have, however, run AVG Anti-virus, and it removed 2 suspicious files, these were:

jkkjh.dll.bad (it was found in: C:\VundoFix Backups\jkkjh.dll.bad
drvpuz.dll (it was found in: C:\!KillBox\drvpuz.dll

Inadditon to this, my Zonealarm pro opens, but then closes with a critical error.

Please help me, because I also cannot restore my computer, when I do so, it only restores the factory programs, it does NOT remove the added documents, files and programs like it used to.

Thankyou in advance

Bradley

EDIT: I just did an AVG virus scan in safe mode, and it came up with the following:

dgccpwmd.dll (found in: C:\!KillBox\dgccpwmd.dll)
kwexuxfg.dll (found in same place as above^)
laucgndu.dll (same place as above^)

it also said it found Trojan Horse PSW.Generic2.RFG

Thanks

Edited by lyonsb, 07 February 2007 - 03:58 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello lyonsb

Welcome back to G2Go. :whistling:
My name is Kahdah and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers,so there may be a delay between posts.

I will be back with you as soon as possible.
  • 0

#3
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Welcome back lyonsb :whistling:

These files:

jkkjh.dll.bad (it was found in: C:\VundoFix Backups\jkkjh.dll.bad
drvpuz.dll (it was found in: C:\!KillBox\drvpuz.dll
dgccpwmd.dll (found in: C:\!KillBox\dgccpwmd.dll)
kwexuxfg.dll (found in same place as above^)
laucgndu.dll (same place as above^)

are leftovers that I asked you to remove last time.Killbox I had you download to rid your computer of these infections.
VundoFix backups is the folder that contains Deleted Vundo files.

Since Hijackthis will not run we will have to try a different scan.

Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Click on the Services tab.
  • From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
  • Click on the Configuration tab.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.
Please post back with the WinPFind2 log.
  • 0

#4
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi kahdah, glad your here to help me out again :whistling:. i ran the winpfind2 program, but it hung on 'scanning registry' for about 45mins, and wouldnt move on...


EDIT: When i try and open windows media player now, it also comes up with the following error: (see screenshot attached)

Attached Files


Edited by lyonsb, 08 February 2007 - 05:16 AM.

  • 0

#5
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
sorry, not to worry, i found a fix on a website, so I entered: c:\windows\inf\unregmp2.exe /UpdateWMP into run and it seems to have fixed it... not sure what caused the confusion with the version number though
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello lyonsb :whistling:

Lets try this then:
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Please post back with the Silent Runners log.
  • 0

#7
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
At last, it let me run something :whistling:, the result is posted below, thanks:


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"winlogon" = "(empty string)" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"(Default)" = "OZOZ***" (unwritable string) [file not found]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"TGX2_VFD" = ""C:\WINDOWS\system32\TGVFDMsgservice.exe"" ["Trigem"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"workflow" = "E:\installs\workflow.exe" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"winlogon" = "*b" (unwritable string) [file not found]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Nfo" = "C:\WINDOWS\system32\nfomon\nfomon.exe" [null data]
"vidmon" = "C:\WINDOWS\system32\vidmon\vidmon.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Bar888"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll" [null data]
{E1412445-4FF8-410e-8D24-F2CF86B171A4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PEDEV_IEListener Class"
\InProcServer32\(Default) = "C:\Program Files\PeDevice\PeDev.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{721A1B24-EC8B-4eda-9CCE-39720B9FA747}" = "WipeExt"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "C:\Program Files\Ace Utilities\wipext.dll" [null data]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {HKLM...CLSID} = "Logitech Gallery"
\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "load" = "C:\WINDOWS\system32\vlvnxpz\winlogon.exe" [null data]
<<!>> "run" = "C:\WINDOWS\system32\vlvnxpz\winlogon.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WipeExt\(Default) = "{721A1B24-EC8B-4eda-9CCE-39720B9FA747}"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "C:\Program Files\Ace Utilities\wipext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WipeExt\(Default) = "{721A1B24-EC8B-4eda-9CCE-39720B9FA747}"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "C:\Program Files\Ace Utilities\wipext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_SZ) 1
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"NoAdminPage" = (REG_SZ) 1
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Bradley\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Bradley" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Bradley\Start Menu\Programs\Startup
"winlogon" -> shortcut to: "" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"CPRun" -> shortcut to: "C:\Freeline\CPRun.exe Connected Planet.exe" ["Dixons Group PLC"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C1B4DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)
-> {HKLM...CLSID} = "Bar888"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 62 domain names to IP addresses,
61 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
SmartLinkService, SLService, "slserv.exe" [" "]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP450\Driver = "CNMLM7I.DLL" ["CANON INC."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 94 seconds.
---------- (total run time: 145 seconds)
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Lyonsb :whistling:

Please Download MsnVirRem.exe to your desktop from one of the following mirrors.
  • First close any other programs you have running as this will require a reboot
  • Double click MsnVirRem.exe to run it
  • Once open, click the button labelled "Search and Destroy"
    <<Your computer will now be scanned for Infected Files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
  • A Message should popup from MsnVirRem if not, double click the program again and it will finish
Please Post the contents of C:\msnvirrem.log and (if possible) a new Hijackthis log.
  • 0

#9
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi, another problem, when I try to open the MSNvirusremover, it again, opens for about 5seconds, then closes itself. In that 5seconds I had time to click 'search and destroy', but the program closed and nothing happened :whistling:

I tried to then open HJT, but it kept closing, and desktop going etc. as explained in one of my first posts, but I kept trying to open it long enough to do even a short scan before it closed, and all I got was what is below.

I also had trouble trying to copy and paste from the notepad doc. that also kept closing after about 5secs, but I managed to copy all that was there.

Thanks, Brad
__________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 20:50:52, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Bradley\Desktop\hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\vlvnxpz\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\vlvnxpz\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [TGX2_VFD] "C:\WINDOWS\system32\TGVFDMsgservice.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [workflow] E:\installs\workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: CPRun.lnk = C:\Freeline\CPRun.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#10
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi, I also tried the msnvirrem in safe mode, it said it found the infection, it rebooted, and the log file is below, however, i still cannot open HJT

MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\Bradley\Desktop
10/02/2007
14:17:59

---Infection Files Found---
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\netstat.com

Rebooting...
Fixing Registry Permissions...
Editing Registry...
Fixing Host File...
**Fix Complete!**
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello lyonsb :whistling:

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop.
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Now double-click fix.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.


After that please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off
attrib -s -r -h "C:\WINDOWS\system32\vlvnxpz*.*"
rd /q /s "C:\WINDOWS\system32\vlvnxpz"
quit
double click on fixthis.bat.
A window will open and close this is normal.

**Reboot**

After that please try moving and renaming Hijackthis.
To do this:
Go to Start"
Double click on "My Computer"
Then navigate to Program Files"
Right click on an empty space and select "New Folder" name it Hjt.
After that go to your desktop hjt icon and click "Copy"then "Cut
Go to the newly created folder named Hjt and click "Paste".

Rename hijackthis.
To do this:
Right click on hjt.exe and click rename.
Please rename it to Fix.exe
It is inside the folder you just created.(C:Program Files\Hijackthis\hjt.exe)

See if you can now post a Hijackthis log.
  • 0

#12
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi, the registration entry came up with an error when i tried to open it, a screenshot of the error is attached.

The .bat file ran normally, and i rebooted.

I copy,cut and pasted the hjt.exe file to a new folder, in the location you specified, and renamed it, but again, the scan only ran for around 5 seconds, then the program shut, also, when i tried to open the log of the short scan that HJT did, it too, closed after 5 seconds, however, any other notepad file opens normally :whistling:

Also, the first screenshot attached is from when i tried to install Windows Defender anti-spyware. I found steps to resolve this, but it required me to entry registry editor, and again, this would not open, only for a matter of seconds, then close :blink:

Thanks

Brad

Attached Files


  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Lyonsb

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
After that please try the regfix again.
Directions:
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop.
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Now double-click fix.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

After that please post back with these logs :
*Dr.Web cure it log
*Results if the reg fix went well
*If possible a Hijackthis log.

  • 0

#14
lyonsb

lyonsb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
update.exe;c:\program files\common files\{189e94e9-0d3f-1033-0107-05050129002c};Trojan.DownLoader.18428;Will be cured after reboot.;
nfomon.exe;c:\windows\system32\nfomon;Adware.Delfin;;
svchosts.exe;c:\windows\system32;Trojan.DownLoader.18142;Deleted.;
vidmon.exe;c:\windows\system32\vidmon;Trojan.DownLoader.2073;Deleted.;
services.exe;c:\windows\system32\vlvnxpz;Win32.HLLW.Pytica;Will be cured after reboot.;
aafolpbm.exe;C:\!KillBox;Adware.TopSearch;;
bbllnrqq.exe;C:\!KillBox;Adware.TopSearch;;
bpchwhnf.exe;C:\!KillBox;Adware.TopSearch;;
brnlnkhh.exe;C:\!KillBox;Adware.TopSearch;;
clc_my.exe;C:\!KillBox;Probably MULDROP.Trojan;;
ejurwvuw.exe;C:\!KillBox;Adware.TopSearch;;
gcqxlanb.exe;C:\!KillBox;Adware.TopSearch;;
hpcmibca.exe;C:\!KillBox;Adware.TopSearch;;
hswklsdy.exe;C:\!KillBox;Adware.TopSearch;;
iigthkrs.exe;C:\!KillBox;Adware.TopSearch;;
kqbyciqe.exe;C:\!KillBox;Adware.TopSearch;;
lujatfha.exe;C:\!KillBox;Adware.TopSearch;;
mbjpeeud.exe;C:\!KillBox;Adware.TopSearch;;
mnbknmau.exe;C:\!KillBox;Adware.TopSearch;;
mwddgqvf.exe;C:\!KillBox;Adware.TopSearch;;
neacpcwg.exe;C:\!KillBox;Adware.TopSearch;;
prgvogeq.exe;C:\!KillBox;Adware.TopSearch;;
qjmgqhju.exe;C:\!KillBox;Adware.TopSearch;;
qstuyept.exe;C:\!KillBox;Adware.TopSearch;;
riwjqpsd.exe;C:\!KillBox;Adware.TopSearch;;
wosswqff.exe;C:\!KillBox;Adware.TopSearch;;
wqahyauv.exe;C:\!KillBox;Adware.TopSearch;;
xmysmlgy.exe;C:\!KillBox;Adware.TopSearch;;
Silent Runners.vbs;C:\Documents and Settings\Bradley\Desktop;Probably BATCH.Virus;;
LFS.exe;C:\Documents and Settings\Bradley\Desktop\LFS_S2_ALPHA_U;Probably DLOADER.Trojan;;
RemoveWebDP.exe;C:\Program Files\Common Files\Uninstall Information;Adware.Delfin;;
system.dll;C:\Program Files\Common Files\{189E94E9-0D3F-1033-0107-05050129002c};Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\Program Files\Common Files\{189E94E9-0D3F-1033-0107-05050129002c};Trojan.DownLoader.18428;Deleted.;
Process.exe;C:\Program Files\Roguescanfix;Tool.Prockill;;
VSAdd-in.dll;C:\Program Files\VSAdd-in;Adware.TopSearch;;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc3;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc3;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc4;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc4;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc5;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc5;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc6;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc6;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc7;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc7;Trojan.DownLoader.18428;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-828683821-3936211242-4230619298-1006\Dc1;Trojan.DownLoader.17799;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-21-828683821-3936211242-4230619298-1006\Dc1;Trojan.DownLoader.18428;Deleted.;
nfo.ocx;C:\WINDOWS\system32\nfomon;Adware.Delfin;;
nfom.dll;C:\WINDOWS\system32\nfomon;Adware.Delfin;;
nfomon.exe;C:\WINDOWS\system32\nfomon;Adware.Delfin;;
services.exe;C:\WINDOWS\system32\vlvnxpz;Win32.HLLW.Pytica;Deleted.;

_________________________________________________________________________________

Success! The HJT worked after performing the scan, it is shown below: :blink:
_________________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 00:21:46, on 11/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TGVFDMsgservice.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\Fix.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [TGX2_VFD] "C:\WINDOWS\system32\TGVFDMsgservice.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [workflow] E:\installs\workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: services.lnk = ?
O4 - Global Startup: CPRun.lnk = C:\Freeline\CPRun.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


_________________________________________________________________________________

Unfortunately, the fix.reg did not work :whistling:

Thanks

Brad

Edited by lyonsb, 10 February 2007 - 06:23 PM.

  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello lyonsb :whistling:

Download win32delfkil.exe.
Save it on your desktop.

After that download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".<<<***VERY IMPORTANT***
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.


Download the HostsXpert 3.7 - Hosts File Manager Here
Please do not use program yet
Unzip HostsXpert 3.7 - Hosts File Manager to your desktop.

After that please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu

After that please re-open Hjthis and hit scan only.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{389E9~1\Bar888.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)


Now close Hjt.
==================
Run Windelfkill
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt along with the other logs next time you post.
=========================
After that [*]reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Choose your usual account.

Please go to the Control Panel > Add/Remove Programs and remove the following :
PeDevice
Close Control Panel.

I will need you to show your hidden files and folders.
To do this:*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Show hidden files and folders.
*Uncheck the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK
Then using Windows Explorer (to get there Right click on Start and click Explore)
Locate and delete these files\folders:
C:\Program Files\Common Files\{389E9 <<Note this folder will begin with these numbers
C:\Program Files\PeDevice
C:\WINDOWS\system32\nfomon
C:\Documents and Settings\Bradley\Desktop\LFS.exe
C:\Program Files\VSAdd-in
C:\WINDOWS\system32\nfom.dll
C:\WINDOWS\system32\nfo.ocx
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe

Close Windows Explorer.

Next Run AVG-Anti-Spyware:

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Run Hosts Expert:
Open up the HostsXpert 3.7 - Hosts File Manager program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
After that please re-hide your hidden folders\files.*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Do not Show hidden files and folders.
*Check the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK
Please reboot and go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


Please post back with these logs:
*AVG Anti-spyware log
*Windelfkill log
*Panda Active Scan log
*New Hijackthis log

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP