I've just finished performing the steps from the Malware Removal Guide. It
took several days for various reasons, including the large amount of files
that were scanned. My problem is still occurring whenever I open Firefox, I
am greeted with several popups for programs such as winantivirus and the
like, telling me i have viruses ect and trying to force me into downloading
their programs. I believe this is either the cause or effect of other
problems that NortoAntiVirus and some of the scans from the guide found. The
panda software active scan found several infected dll's which i successfully
quarantined with Norton. Although Norton is still finding an 'Infostealer'
virus in riufwlyu.dll & egvohicx.dll. I didn't see these names in any scans,
so i was hoping the Hijack Scan would shed some light. Any help is much
apprieciated.
Here are my results and logs from each step:
Step 1:
AVG Anti-spyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:46:05 PM 1/05/2007
+ Scan result:
C:\Documents and Settings\David\Cookies\david@cpvfeed[1].txt ->
TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and
Settings\David\Cookies\[email protected][1].txt ->
TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\David\Cookies\david@hitbox[1].txt ->
TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt ->
TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\David\Cookies\[email protected][2].txt ->
TrackingCookie.Reliablestats : Cleaned.
::Report end
SUPERAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/30/2007 at 02:41 AM
Application Version : 3.7.1018
Core Rules Database Version : 0
Trace Rules Database Version: 1238
Scan type : Complete Scan
Total Scan Time : 02:50:11
Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 6060
Registry threats detected : 0
File items scanned : 67212
File threats detected : 1
Adware.Tracking Cookie
C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt
Step 2:
Panda Software Active scan:
Incident
Status Location
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\rvgddwjk.dll
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\opnlmkl.dll
Spyware:Cookie/Hitbox
Not disinfected C:\Documents and
Settings\David\Cookies\david@hitbox[1].txt
Spyware:Cookie/Mediaplex
Not disinfected C:\Documents and
Settings\David\Cookies\david@mediaplex[1].txt
Spyware:Cookie/Reliablestats
Not disinfected C:\Documents and
Settings\David\Cookies\[email protected][1].txt
Spyware:Cookie/Winantivirus
Not disinfected C:\Documents and
Settings\David\Cookies\david@winantispyware[2].txt
Spyware:Cookie/Winantivirus
Not disinfected C:\Documents and
Settings\David\Cookies\david@winantivirus[1].txt
Spyware:Cookie/Systemdoctor
Not disinfected C:\Documents and
Settings\David\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com
Not disinfected C:\Documents and Settings\Family\Application
Data\Mozilla\Firefox\Profiles\4xw22m51.default\cookies.txt[ad.sensismediasmar
t.com.au/]
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\cdsxhnot.dll
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\ohxsvrtl.dll
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\txfqltca.dll
Spyware:Spyware/Virtumonde
Not disinfected C:\WINDOWS\system32\uefsfdro.dll
Step 3:
I was unsure what to do for step three. I found it a bit unclear. I already
have SP2 installed, should I still install SP1?
Step 4:
Rebooted, problems persisted.
Step 5:
Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:30 PM, on 1/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common
Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet
1000\fwdl.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InfoData] rundll32.exe
"C:\WINDOWS\system32\ddsfeqiw.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...86/client/muweb
_site.cab?1154959441604
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT
Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation -
C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero
BackItUp\NBService.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec
Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common
Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Uninstall List:
µTorrent
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Reader 7.0.9
Apple Software Update
ArcSoft Panorama Maker 3
Audacity 1.2.6
Autodesk DWF Viewer
AVG Anti-Spyware 7.5
BlueSoleil
CoreVorbis Audio Decoder (remove only)
CUE Splitter
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec 3.1alpha release
DivX Player
DivX Pro Trial
e-tax 2006
ffdshow (remove only)
HijackThis 2.0.0
Hotfix for Windows XP (KB929120)
hp LaserJet 1000
Huffyuv AVI lossless video codec (Remove Only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Lemmings for Windows 95
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Media Tagger v1.3.5
Microsoft .NET Framework 2.0
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Office Web Components
Microsoft Publisher 98
Microsoft Works 4.5
Morgan Stream Switcher
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MYOB Accounting Plus v15
Nero 7 Demo
Nikon Message Center
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
Norton Internet Security
Nvu 1.0
Panda ActiveScan
PictureProject
PokerRoom.com (remove only)
QuickTime
Quincy 2005 v. 1
Recovery for Works
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SoulSeek Client 156c
SSH Secure Shell
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
USB Mass Storage Toolbox
Winamp (remove only)
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XBT Client 0.7.3
XviD MPEG-4 Video Codec
Thats it i think, let me know if iv'e done something wrong or if I need to
do more. Thanks for you time and I hope you can help.