Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan horse dropper.generic.dzd

Started by jstnorv , May 14 2007 07:48 PM

  • Please log in to reply

#1
jstnorv
Posted 14 May 2007 - 07:48 PM

jstnorv

    New Member

  • Member
  • Pip
  • 9 posts
Trying to remove virus. Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:53 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\dsrss.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\vjwuoqbi.dll",realset
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [programdale] C:\DOCUME~1\Javier\APPLIC~1\JUGSME~1\Rule Amok Chin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements

#2
Kenny94
Posted 15 May 2007 - 08:59 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello jstnorv and Welcome to Geeks To Go!

It is likely that you have a variant of the Vundo trojan that hides itself from HijackThis.exe so if we rename HijackThis, the entries should become visible.

Go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it geek.exe.

Then run HijackThis again and post a new log please.


I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List
* HijackThis log (new)
  • 0

#3
jstnorv
Posted 15 May 2007 - 04:48 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here's the logfile of the scan using geek.exe for Highjackthis.exe:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:56 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dfodoxyh.dll",realset
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [programdale] C:\DOCUME~1\Javier\APPLIC~1\JUGSME~1\Rule Amok Chin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



but when I did this:

To get an Uninstall List from HijackThis:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

the program closed without that uninstall_list.txt file being generated. I ran a file search after the fact and didn't find anything wuth that name. Thanks for your help.
  • 0

#4
Kenny94
Posted 15 May 2007 - 08:37 PM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello jstnorv

"the program closed without that uninstall_list.txt file being generated. I ran a file search after the fact and didn't find anything wuth that name."

Where did you save it at? Maybe in "My Documents" run it again and save it to your Desktop.

Your computer has several infections. Lets deal with two for now.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later. (Or click the Options drop down near the upper right of the topic. Select Print this topic.)



Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Next
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


In your next reply, please include these log(s):

* HijackThis Uninstall List
* vundofix.txt
* Report.txt (SDFix)
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Edited by Kenny94, 15 May 2007 - 08:38 PM.

  • 0

#5
jstnorv
Posted 16 May 2007 - 08:02 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hey Kenny94 thanks for all your help.
I was not able to save the highjack this uninstall log until after I ran the VundoFix and SDFix.
HighJackThis Uninstall_List:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
Ahead Nero Burning ROM
AOL Instant Messenger
AVG 7.5
Belltech Label Maker Pro 2.1.2
Broadcom 802.11 Wireless LAN Adapter
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Gamevance
Google Toolbar for Firefox
Gran Paradiso (3.0a1)
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Product Detection
HP Wireless Assistant 1.01 C1
iDump Build: 22
J2SE Runtime Environment 5.0 Update 3
Job Designer
LimeWire 4.12.11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.3)
MP3 Player Utilities
Panda ActiveScan
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SoundMAX
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
URGE
Viewpoint Media Player
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

VundoFix.txt:


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:17:08 PM 5/16/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\bhxdoxoo.dll
C:\WINDOWS\system32\bxehbwrx.ini
C:\WINDOWS\system32\cchvvhwf.dll
C:\WINDOWS\system32\crcyxbni.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\dfodoxyh.dll
C:\WINDOWS\system32\fbuaihti.dll
C:\WINDOWS\system32\fqnrggug.dll
C:\WINDOWS\system32\fsrytgll.dll
C:\WINDOWS\system32\fwhvvhcc.ini
C:\WINDOWS\system32\fxxcutra.dll
C:\WINDOWS\system32\hyxodofd.ini
C:\WINDOWS\system32\ibqouwjv.ini
C:\WINDOWS\system32\icmjnsum.dll
C:\WINDOWS\system32\ijmsqwrv.dll
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lvytupck.dll
C:\WINDOWS\system32\musnjmci.ini
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\pstwa.tmp
C:\WINDOWS\system32\qiktvhlo.dll
C:\WINDOWS\system32\qqjgtkcr.dll
C:\WINDOWS\system32\rqrrppo.dll
C:\WINDOWS\system32\ruslgdew.dll
C:\WINDOWS\system32\tknermff.dll
C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\twoifxgl.dll
C:\WINDOWS\system32\vcjtqstf.dll
C:\WINDOWS\system32\vjgtosku.dll
C:\WINDOWS\system32\vjwuoqbi.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vwnsnkxn.dll
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\xrwbhexb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bhxdoxoo.dll
C:\WINDOWS\system32\bhxdoxoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bxehbwrx.ini
C:\WINDOWS\system32\bxehbwrx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cchvvhwf.dll
C:\WINDOWS\system32\cchvvhwf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\crcyxbni.dll
C:\WINDOWS\system32\crcyxbni.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfodoxyh.dll
C:\WINDOWS\system32\dfodoxyh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fbuaihti.dll
C:\WINDOWS\system32\fbuaihti.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fqnrggug.dll
C:\WINDOWS\system32\fqnrggug.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fsrytgll.dll
C:\WINDOWS\system32\fsrytgll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fwhvvhcc.ini
C:\WINDOWS\system32\fwhvvhcc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fxxcutra.dll
C:\WINDOWS\system32\fxxcutra.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyxodofd.ini
C:\WINDOWS\system32\hyxodofd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ibqouwjv.ini
C:\WINDOWS\system32\ibqouwjv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\icmjnsum.dll
C:\WINDOWS\system32\icmjnsum.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\musnjmci.ini
C:\WINDOWS\system32\musnjmci.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\pmnnl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\pstwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pstwa.tmp
C:\WINDOWS\system32\pstwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\qiktvhlo.dll
C:\WINDOWS\system32\qiktvhlo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqjgtkcr.dll
C:\WINDOWS\system32\qqjgtkcr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrppo.dll
C:\WINDOWS\system32\rqrrppo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ruslgdew.dll
C:\WINDOWS\system32\ruslgdew.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tknermff.dll
C:\WINDOWS\system32\tknermff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\twoifxgl.dll
C:\WINDOWS\system32\twoifxgl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vcjtqstf.dll
C:\WINDOWS\system32\vcjtqstf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjgtosku.dll
C:\WINDOWS\system32\vjgtosku.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjwuoqbi.dll
C:\WINDOWS\system32\vjwuoqbi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vturo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwnsnkxn.dll
C:\WINDOWS\system32\vwnsnkxn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xrwbhexb.dll
C:\WINDOWS\system32\xrwbhexb.dll Has been deleted!

Performing Repairs to the registry.
Done!


SDFix.txt:


SDFix: Version 1.84

Run by Javier - Wed 05/16/2007 - 21:35:58.21

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

ImagePath:
"" -e mc-110-12-0000140

Client IP-IPX - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\ieserver.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-

22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-

22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB

RIDAZ.com\AlbumArtSmall.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB

RIDAZ.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Large.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB

RIDAZ.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Small.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\desktop.ini
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\Folder.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB

RIDAZ\Nbridaz.com\AlbumArtSmall.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB

RIDAZ\Nbridaz.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Large.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB

RIDAZ\Nbridaz.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Small.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\desktop.ini
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\Folder.jpg
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished

New HighJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:10 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f6c0976-558f-4438-b628-e354fbc94868} - C:\WINDOWS\system32\logact.dll (file missing)
O2 - BHO: (no name) - {239557B7-69AA-440B-87AB-8747A89E0780} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: (no name) - {3950E7FE-6030-445E-B42A-D7AEC120A23C} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\efqjitak.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C55F845A-0479-4FC2-840F-C5C502B6234b} - C:\WINDOWS\system32\iayoteqj.dll
O2 - BHO: (no name) - {EB785602-670B-4C6A-9BDE-569EB49E5DEC} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [programdale] C:\DOCUME~1\Javier\APPLIC~1\JUGSME~1\Rule Amok Chin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: logact - logact.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Also, as far as the computer goes there have definitely been improvements. I was getting a lot of internet explorer windows that would randomly pop up and AVG kept encoutering the virus and made it very difficult to use the computer. I haven't seen an IE window that I didn't want or AVG since I have begun to take your advice. I am going to run AVG, Spybot and AdAware after I send this post. Previously all three found signifigant numbers of problems every time I ran them. Thanks again for all your help
  • 0

#6
jstnorv
Posted 16 May 2007 - 10:46 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
After my last post I ran AVG and it found nothing. I then downloaded and ran SuperAntiSpyware and while that was running AVG started popping up with several versions of Traojan horse including the title of this post among others. SuperAntiSpyware came up with 192 problems. I then ran Spybot which came up with 32 problems and then AdAware which came up with 5. I followed by following the steps originally given to me.
New HighJack This Uninstall file:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
Ahead Nero Burning ROM
AOL Instant Messenger
AVG 7.5
Belltech Label Maker Pro 2.1.2
Broadcom 802.11 Wireless LAN Adapter
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Gamevance
Google Toolbar for Firefox
Gran Paradiso (3.0a1)
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Product Detection
HP Wireless Assistant 1.01 C1
iDump Build: 22
J2SE Runtime Environment 5.0 Update 3
Java™ SE Runtime Environment 6 Update 1
Job Designer
LimeWire 4.12.11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.3)
MP3 Player Utilities
Panda ActiveScan
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SoundMAX
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
URGE
Viewpoint Media Player
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

When I ran VundoFix it didn't find any files and therefore did not create a new file.

New SDFix:


SDFix: Version 1.84

Run by Javier - Thu 05/17/2007 - 0:29:19.67

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\AlbumArtSmall.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Large.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Small.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\desktop.ini
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\NB RIDAZ.com\Folder.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\AlbumArtSmall.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Large.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\AlbumArt_{B3F2245D-AF2E-45B9-98FF-FD41FE84BCBC}_Small.jpg
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\desktop.ini
C:\Documents and Settings\Javier\My Documents\My Music\NB RIDAZ\Nbridaz.com\Folder.jpg
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished

New HighJackThis Log File:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:05 AM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f6c0976-558f-4438-b628-e354fbc94868} - C:\WINDOWS\system32\logact.dll (file missing)
O2 - BHO: (no name) - {3950E7FE-6030-445E-B42A-D7AEC120A23C} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\efqjitak.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [programdale] C:\DOCUME~1\Javier\APPLIC~1\JUGSME~1\Rule Amok Chin.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: logact - logact.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks again
  • 0

#7
Kenny94
Posted 17 May 2007 - 05:23 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello jstnorv

I see you have been busy. I still see a sign of a lop infection in your log, and a few other things.


Please read "ALL" of the instructions before proceeding:


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.(if present):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1f6c0976-558f-4438-b628-e354fbc94868} - C:\WINDOWS\system32\logact.dll (file missing)
O2 - BHO: (no name) - {3950E7FE-6030-445E-B42A-D7AEC120A23C} - \
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\efqjitak.dll
O4 - HKCU\..\Run: [programdale] C:\DOCUME~1\Javier\APPLIC~1\JUGSME~1\Rule Amok Chin.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.


Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

You will need to enable hidden files and folders by doing the following:
Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

You should remove LimeWire. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove LimeWire.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):

Go to Start > Control Panel > Add/Remove Programs.

J2SE Runtime Environment 5.0 Update 3
LimeWire 4.12.11
Viewpoint Media Player


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders (if present):
C:\Documents\Javier\Application\JUGSME~1\Rule Amok


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files (if present):
C:\WINDOWS\system32\efqjitak.dll

Reboot back to normal Windows.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.




Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


In your next reply, please include these log(s):

* ActiveScan report
* HijackThis log (new)
  • 0

#8
jstnorv
Posted 17 May 2007 - 06:41 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ActiveScan report:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Javier\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/WinAntivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{38A2581B-07CB-1033-0602-051222200001}\UnInstall.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\bhxdoxoo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\crcyxbni.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\dfodoxyh.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\fbuaihti.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\fsrytgll.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\icmjnsum.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qiktvhlo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qqjgtkcr.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ruslgdew.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\tknermff.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\twoifxgl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vjwuoqbi.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xrwbhexb.dll.bad
Adware:Adware/DeluxeComunications Not disinfected C:\WINDOWS\system32\bund1\ClientBundle1.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\system32\bund1\mac.exe[109uninst.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\system32\bund1\mac.exe[TagASaurus.exe]
Adware:Adware/Henbang Not disinfected C:\WINDOWS\system32\bwxtuvmd.dll
Adware:Adware/Henbang Not disinfected C:\WINDOWS\system32\gfneylgd.dll
Adware:Adware/Henbang Not disinfected C:\WINDOWS\system32\ntyividn.dll
Adware:Adware/Henbang Not disinfected C:\WINDOWS\system32\ohbbxenj.dll
Adware:Adware/Henbang Not disinfected C:\WINDOWS\system32\pnvftllf.dll




HijackThis log (new):

Logfile of HijackThis v1.99.1
Scan saved at 8:40:01 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: logact - logact.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks
  • 0

#9
jstnorv
Posted 17 May 2007 - 06:41 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I'll run AVG etc. again and see what I find there.

Edited by jstnorv, 17 May 2007 - 06:45 PM.

  • 0

#10
Kenny94
Posted 18 May 2007 - 05:04 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello jstnorv

Smile we are getting closer. Good job you done there :whistling:


Please read "ALL" of the instructions before proceeding:


First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly


Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders (if present):

C:\Program Files\Common Files\Companion Wizard
C:\Program Files\Common Files\{38A2581B-07CB-1033-0602-051222200001}
C:\WINDOWS\system32\bund1


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files (if present):

C:\WINDOWS\system32\bwxtuvmd.dll
C:\WINDOWS\system32\gfneylgd.dll
C:\WINDOWS\system32\ntyividn.dll
C:\WINDOWS\system32\ohbbxenj.dll
C:\WINDOWS\system32\pnvftllf.dll

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG AntiSpyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
  • Close AVG AntiSpyware and reboot your system back into Normal Mode.


In your next reply, please include these log(s):

* AVG Anti-Spyware contents
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
  • 0

#11
jstnorv
Posted 18 May 2007 - 07:36 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
When I ran the AVG AntiSpyware it found close to 5,000 objects. I tried to post it but apparently it is too long for one single post so I'll post highjackthis first and the try to post the AVG over several posts.

HighJack This:

Logfile of HijackThis v1.99.1
Scan saved at 9:35:32 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: logact - logact.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by jstnorv, 18 May 2007 - 08:01 PM.

  • 0

#12
jstnorv
Posted 18 May 2007 - 08:18 PM

jstnorv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
On the AVG log I noticed that the vast majority of the entries are almost exactly the same thing just a 1 digit difference so I decided to post an abbrieviated version of the log. I am hoping that will be adequate.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:19:11 PM 5/18/2007

+ Scan result:



C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP23\A0003598.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP71\A0025026.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018632.dll -> Adware.Bar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP66\A0024417.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP20\A0003414.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP23\A0003651.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP71\A0025025.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP26\A0004804.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0016903.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0016904.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
HKU\S-1-5-21-1645522239-484061587-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019921.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019916.exe -> Backdoor.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\app.exe -> Downloader.Agent.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018624.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018649.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018617.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018631.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\zikk\zikkd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018630.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018625.exe -> Downloader.VB.afp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019890.exe -> Downloader.VB.afp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018640.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0013425.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0013426.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).

____________________________________________________________________________________________________________________________________________________________________________________________________________

The next 4,000 to 5,000 entries are the same as the one above and the one below except for the last part (\A001****.exe)
They are not completely consecutive but it's pretty close.


____________________________________________________________________________________________________________________________________________________________________________________________________________



C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018637.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018623.exe -> Logger.Sters.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018647.dll -> Logger.Sters.ap : Cleaned with backup (quarantined).
C:\Documents and Settings\Javier\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Javier\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Javier\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Javier\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@idot[1].txt -> TrackingCookie.Idot : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Javier\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Javier\Cookies\javier@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018639.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018653.dll -> Trojan.Baws.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019897.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019895.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019896.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019898.dll -> Trojan.Juan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018638.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018642.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP66\A0024409.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP66\A0024410.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0016901.dll -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP55\A0016902.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018636.dll -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019919.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP58\A0019920.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP66\A0024414.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018641.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP68\A0024672.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018635.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67A8485E-405A-4DBE-B85D-09EFFEB0A91E}\RP56\A0018634.exe -> Worm.VB.dw : Cleaned with backup (quarantined).


::Report end
  • 0

#13
Kenny94
Posted 19 May 2007 - 05:45 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello jstnorv

On the AVG log I noticed that the vast majority of the entries are almost exactly the same thing

There in your system restore points. We'll fush them out.. :whistling:


Run HijackThis, click on "Scan" and check the boxes next to this items.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Congratulations, your log looks clean! :blink:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop

Rehide your system Folders/Files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading SELECT Show hidden files and folders.
CHECK the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Some final items:

Important, we need to flush out all System Restore points.


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP