Popups (Outerinfo.com and Bonus.com) and page rerouting [RESOLVED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Popups (Outerinfo.com and Bonus.com) and page rerouting [RESOLVED] I get pop-ups for the mentioned sites that ask me to download antiviru

#1 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 15 May 2007 - 11:37 PM

In addition to the pop-ups and the webpage rerouting my system is running very slowly. I think this is because it is trying to to carry out my task and also to open the unwanted material.

I have run ATF Cleaner, created a system restore point and deleted any old ones. I have run AVG Anti-Spyware, Adaware SE Personal, and Spybot Search & Destroy. I also carried out the Online Panda ActiveScan; these are the results from this scan:

Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@atwola[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@errorsafe[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@www.errorsafe[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\James Gibson\Cookies\james gibson@zedo[2].txt
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\installdrivecleanerstart[1].exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\ErrorSafeFreeInstallW[1].cab[UERS_9999_N91S1502NetInstaller.exe]
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\support.com\temp\ComcastToolbar.exe[ēÜĮ\nsProcess.dll]


I tried to download and install the Windows Update SP1a but the website just continually searches for the components I need and will not actually download anything. I rebooted but still experience the problem.

Lastly I have run hijackthis and this is the HiJackThis report information:

Logfile of HijackThis v1.99.1
Scan saved at 1:20:09 AM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Gibson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram1c.vcu.edu/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/018f9b75d95d96...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179279019718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\smrss.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Thanks for any help you can provide me.

#2 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 15 May 2007 - 11:54 PM

You don't need SP1a as you are already updated to SP2. Do this for me:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#3 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 16 May 2007 - 10:56 AM

I tried to run the Combofix but the program will not proceed after I type 1 to accept the terms of use.

I have a couple of things to add though. My antivirus program reported that it found a Trojan.Vundo problem on my system. Also, I can no longer restart my computer. It freezes all the time and I have to turn it off with the power button. Even before it freezes the "Restart" and "Turn Off" options do not work. Let me know if you need anything else.

#4 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 16 May 2007 - 03:38 PM

Do this for me. Click here to download FindAWF.exe and save it to your desktop.

http://noahdfear.gee...com/FindAWF.exe

* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
* It may take a few minutes to complete so be patient.
* When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

#5 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 16 May 2007 - 11:52 PM

My antivirus reported a new trojan to me tonight. It flagged a Trojan.Duntec in addition to the other one I mentioned in the previous post.

This is the AWF Report you asked for.


Find AWF report by noahdfear Đ2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

2003-10-07 23:40 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

2006-09-12 01:58 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

2006-09-01 15:57 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

2005-01-31 20:20 120,640 VPTray.exe
1 File(s) 120,640 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

2006-04-03 18:12 777,424 MSASCui.exe
1 File(s) 777,424 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2004-08-04 03:56 15,360 ctfmon.exe
2003-05-22 22:55 483,328 hphmon05.exe
2 File(s) 498,688 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2004-12-10 19:02 67,184 ccApp.exe
1 File(s) 67,184 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

2003-08-04 18:28 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

2003-12-22 09:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSHAR~1\BAK

2002-04-17 13:42 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

2004-01-13 12:21 245,760 EabServr.exe
1 File(s) 245,760 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

2006-05-19 10:27 1,757,184 tgcmd.exe
1 File(s) 1,757,184 bytes

Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK

2004-11-11 00:15 111,816 ViewMgr.exe
1 File(s) 111,816 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2005-01-31 22:17 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

2003-08-19 04:01 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK

2002-10-07 03:23 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2006-07-26 03:03 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BACKUP\BO\BOOKMA~1.BAK

2006-08-09 21:02 384 423_5791cfae1_
1 File(s) 384 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

159744 Oct 7 2003 "C:\SWSETUP\Misc3\Apoint.exe"
159744 Oct 8 2003 "C:\SWSETUP\SP25796\Apoint.exe"
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
229952 Sep 12 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 12 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
108096 Sep 12 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.0.70\iTunesSetupAdmin.exe"
282624 Sep 1 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
120640 Jan 31 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
120640 Jan 31 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
483328 May 22 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\deu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\enu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\esm\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\fra\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\grk\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ita\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\nld\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ptb\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\rus\HPHmon05.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Aug 4 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
69632 Apr 17 2002 "C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe"
245760 Jan 13 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
1757184 May 19 2006 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
111816 Nov 11 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
180269 Jan 31 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
32881 May 16 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
384 Aug 9 2006 "C:\Program Files\support.com\backup\bo\bookmarks.bak\423_5791cfae1_"
385 Aug 9 2006 "C:\Program Files\support.com\backup\bo\bookmarks.html\423_5791cfae1_"


end of report

#6 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 17 May 2007 - 12:03 AM

You probaby have a vundo infection, it looks like your O2 entries are being hidden. Do this. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

#7 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 17 May 2007 - 09:48 AM

The vundofix log:

VundoFix V6.3.23

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 11:19:44 2007-05-17

Listing files found while scanning....

C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\oqstv.tmp
C:\WINDOWS\system32\vtsqo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\oqstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\oqstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.tmp
C:\WINDOWS\system32\oqstv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Has been deleted!

Performing Repairs to the registry.
Done!


The HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:41, on 2007-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James Gibson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {189CA132-1782-4C5C-A34C-6BE33AE5FEC8} - C:\WINDOWS\system32\izbk.dll (file missing)
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\vturrqo.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\rvbhavuw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BEF2E7D2-E11C-4838-AA70-5F130E79E21c} - C:\WINDOWS\system32\bkfaekxy.dll
O2 - BHO: (no name) - {E4945509-CDD3-43BD-AB19-1360AA8F5E2B} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram1c.vcu.edu/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/018f9b75d95d96...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179279019718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: vturrqo - vturrqo.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\smrss.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


My system seems to be running a lot smoother and quicker. I am still concerned about the message Symantec Antivirus reported about the Trojan.Duntek though. Can you tell if I should also scan for/correct this issue? Thanks a lot for all of your help.

#8 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 17 May 2007 - 10:51 AM

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {189CA132-1782-4C5C-A34C-6BE33AE5FEC8} - C:\WINDOWS\system32\izbk.dll (file missing)
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\vturrqo.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\rvbhavuw.dll
O2 - BHO: (no name) - {BEF2E7D2-E11C-4838-AA70-5F130E79E21c} - C:\WINDOWS\system32\bkfaekxy.dll
O2 - BHO: (no name) - {E4945509-CDD3-43BD-AB19-1360AA8F5E2B} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: vturrqo - vturrqo.dll (file missing)
O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\smrss.exe (file missing)

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

Also, provide me with the full path and filename of what Symantec is detecting.

#9 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 17 May 2007 - 02:41 PM

I deleted what you told me to, and below is the HijackThis log that I generated after the reboot. Now the Symantec is not reporting any trojans, but if it flags another one I will provide you with the full file pathway.

Logfile of HijackThis v1.99.1
Scan saved at 16:39, on 2007-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram1c.vcu.edu/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179279019718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#10 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 17 May 2007 - 11:34 PM

OK good. Do one more scan for me. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.

  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.

  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

#11 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 21 May 2007 - 10:29 PM

Here is the SUPERAntiSpyware Log you asked for:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/21/2007 at 04:10 PM

Application Version : 3.7.1018

Core Rules Database Version : 3241
Trace Rules Database Version: 1252

Scan type : Complete Scan
Total Scan Time : 03:12:57

Memory items scanned : 391
Memory threats detected : 0
Registry items scanned : 6234
Registry threats detected : 11
File items scanned : 89714
File threats detected : 125

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}

Adware.Tracking Cookie
C:\Documents and Settings\James Gibson\Cookies\james gibson@www.drivecleaner[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ads.as4x.tmcs[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@adrevolver[3].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@burstnet[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@doubleclick[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@bluestreak[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@drivecleaner[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@gettyimages.122.2o7[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@mediatraffic[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@mediaplex[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@cpvfeed[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@specificclick[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@atwola[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ehg-wachovia.hitbox[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ehg-bestbuy.hitbox[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@statcounter[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@statse.webtrendslive[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@tacoda[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@bs.serving-sys[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@pitchforkmedia[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@fastclick[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@realmedia[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@winantivirus[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@msnportal.112.2o7[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@atdmt[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@track.bestbuy[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ad.outerinfo[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@stats.drivecleaner[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@stats1.reliablestats[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@trafficmp[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@2o7[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@casalemedia[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@hitbox[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@livenation.122.2o7[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ads.pointroll[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@adopt.specificclick[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@partner2profit[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@questionmarket[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@adopt.euroclick[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@anad.tacoda[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@xiti[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@tribalfusion[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ehg-comcast.hitbox[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@advertising[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@ad.yieldmanager[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@adrevolver[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@revsci[1].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@zedo[2].txt
C:\Documents and Settings\James Gibson\Cookies\james gibson@serving-sys[2].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@atdmt[2].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@doubleclick[1].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@ehg-wachovia.hitbox[2].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@hitbox[2].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@mediaplex[1].txt
C:\Documents and Settings\James Gibson\Local Settings\Temp\Cookies\james gibson@pitchforkmedia[1].txt

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\James Gibson\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\James Gibson\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\James Gibson\Start Menu\Programs\Outerinfo

Trojan.ErrorSafe
C:\DOCUMENTS AND SETTINGS\JAMES GIBSON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4HEFO9YN\ERRORSAFEFREEINSTALLW[1].EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE

Trojan.Downloader-CREW
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070517-145308-293.DLL
C:\WINDOWS\SYSTEM32\BKFAEKXY.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP949\A0205576.EXE

Trojan.XDUD
C:\WINDOWS\SYSTEM32\FK.DLL

Trace.Known Threat Sources
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\banner1026n[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\ico4[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\styles[1].css
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\lo[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\8XIVGXUR\styles[1].css
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\bottom_threats[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\bg_menu[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\t_p1[1].png
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\box3[1].png
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\bt2[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\box1c[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\logo[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\2007[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\bkg7[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\no[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\download2[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\logo[2].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\ico2[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\new-edition-label[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\arrow[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\hi[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\ico1[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\top1_menu[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\checksoft[1].js
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\8XIVGXUR\button2[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\box5[1].png
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\8XIVGXUR\top1[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\ErrorSafeFreeInstallW[1].cab
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\bkg3[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\2007[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\box4[1].png
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\logo[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\top_pic_new[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\ico4[2].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\download2[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\arrow[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\us[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\ico1[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\4HEFO9YN\yes[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\top_pic2[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\download2[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\med[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\ico3[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\ico5[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\box6[1].png
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\wav_banner[1].swf
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\8XIVGXUR\scanner[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\top_threats[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\getnow[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\button_download[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\win_fixer_banner[1].swf
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\69KBITOJ\top1[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\bar[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\Z6A2OTIC\functions.js[1].htm
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\071ZI6NT\ico3[1].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\5N2RQ7HN\ico2[2].gif
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\2ZQV2XAF\WinAntiVirusPro2007FreeInstall[1].exe
C:\Documents and Settings\James Gibson\Local Settings\Temporary Internet Files\Content.IE5\MBO9KH65\spacer[2].gif


And then here is the HighjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:28, on 2007-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram1c.vcu.edu/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179279019718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#12 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 21 May 2007 - 11:42 PM

Looks better - how is it running now?

#13 everlasting_geek

  • Group: Member
  • Posts: 7
  • Joined: 15-May 07

Posted 22 May 2007 - 07:05 AM

Its running much better. Thanks so much for all of your help.

#14 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 22 May 2007 - 01:27 PM

One more thing and then you're all set.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    1. Turn off System Restore.
      On the Desktop, right-click My Computer.
      Click Properties.
      Click the System Restore tab.
      Check Turn off System Restore.
      Click Apply, and then click OK.
    2. Restart your computer.

    3. Turn ON System Restore.
      On the Desktop, right-click My Computer.
      Click Properties.
      Click the System Restore tab.
      UN-Check Turn off System Restore.
      Click Apply, and then click OK.
System Restore will now be active again.

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?

Do you require any further assistance or should I close the topic?

#15 Daemon

  • Group: Retired Staff
  • Posts: 4,356
  • Joined: 20-February 05

Posted 25 May 2007 - 11:59 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1