Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My HijackThis Log

Started by alan blueh0le , Aug 29 2007 10:29 AM

Please log in to reply

#1
alan blueh0le

Posted 29 August 2007 - 10:29 AM

Member

Member
31 posts

I would be grateful for any help on this; I've followed all steps before submitting this log. One problem I'm having is that when I use HJT to save my uninstall list, HJT just closes. But I've pasted everything else below. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:26:42 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\qkkkkgxg.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Crestron\RoomView\RoomService.exe
C:\Crestron\RoomView\roomsock.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\user\Application Data\U3�00060415098768\LaunchPad.exe
C:\Documents and Settings\user\Application Data\U3�00060415098768\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboTaskBarIcon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.pcc.edu/l...licies/aup.htm"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
O1 - Hosts: 209.152.38.50 lrc10nwfs
O1 - Hosts: 209.152.38.50 pcc_lrc_instructional
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cgieqyin.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\YMBOLS~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Xrvfohei] "C:\Program Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Ysjnmvvq] "C:\Documents and Settings\user\Application Data\??crosoft.NET\w?nspool.exe"
O4 - HKCU\..\Run: [zimz] C:\PROGRA~1\COMMON~1\zimz\zimzm.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\nwinspdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - https://view.pcc.edu...iator/jinit.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qkkkkgxg.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoomView License Manager (RoomService) - Unknown owner - C:\Crestron\RoomView\RoomService.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe

----------------

Incident Status Location

Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Profiles\default\8ohxoj7k.slt\cookies.txt[.enhance.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.atwola.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.perf.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.fastclick.net/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.xiti.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[www.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[www.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[systemdoctor.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.www.winantiviruspro.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.com.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.f0g\cookies.txt[.yadro.ru/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\user\Cookies\user@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\user\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\user\Cookies\user@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Cookies\user@fastclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user\Cookies\user@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\user\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\user\Cookies\user@trafficmp[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\user\Cookies\user@winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\user\Cookies\user@winantivirus[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\user\Cookies\[email protected][2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\user\Cookies\user@zedo[1].txt
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\user\Desktop\Click to Find and Fix Errors.url
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bnypnipm.dll
Hacktool:Rootkit/NTRootkit.AJ Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\core.sys
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hgghe.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\rspckpjf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vnjxfdch.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\wkox.dll

#2
htv8

Posted 30 August 2007 - 03:05 AM

Member

Member
110 posts

Hello alan blueh0le, and welcome to Geeks to Go!. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8

#3
alan blueh0le

Posted 30 August 2007 - 08:29 AM

Member

Topic Starter
Member
31 posts

Hello alan blueh0le, and welcome to Geeks to Go!. I will be handling your log to help you get cleaned up.

. . .
Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8

Great! Thank you.

#4
htv8

Posted 30 August 2007 - 12:38 PM

Member

Member
110 posts

Hello again.
________________________________________________________________________________

IMPORTANT
It is important that your computer has an antivirus software running on your machine.
Your log doesn't show an antivirus software running. This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it.
You need to install an antivirus program as soon as you can and run a complete scan of the computer. Please download and install one of these good (and free) products:
- AntiVir
- Avast Free
- AVG Free
- Bitdefender Free

Install one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
NOTE: Never install more than one antivirus program on your system. Several together can give problems and decrease the reliability of it seriously.

IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm
- Comodo Free Firewall
- Outpost Firewall Free
- Sunbelt Personal Firewall (= Kerio) - learn more here

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Temporarily disable AVG Anti-Spyware's Resident Shield
You have AVG Anti-Spyware 7.5 running on your machine and that is good. However, AVG Anti-Spyware's Resident Shield can interfere with the changes you will make on your system, so please follow these instructions to temporarily disable AVG Anti-Spyware's Resident Shield:
1. Launch AVG Anti-Spyware by double-clicking the program's icon on your Desktop or in the system tray.
2. The main Status menu will appear. Select the Change state option to inactivate AVG AS's Resident Shield and Automatic Updates.
3. Right-click on the AVG Anti-Spyware icon in the system tray and uncheck the option labelled "Start with Windows".
4. Go to Start > Run.
5. In the Open: field type services.msc and press the OK button.
6. When the WinXP Services utility starts up, click the Extended tab on the bottom and scroll down the list to find the AVG Anti-Spyware Guard service.
7. When you find the service, double-click on it.
8. In the Properties window > General tab that opens, click the Stop button.
9. From the drop-down menu next to Startup type:, click on Manual.
10. Now click the Apply button, followed by clicking the OK button.
11. Close the Services window.

Step #2: Update Java SE Runtime Environment (JRE)
Your Java is out of date. Older versions have vulnerabilities that malware can and are using to infect systems. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components:
1. Close all programs--especially your web browser--so that you have nothing open and are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE or J2SE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all Java versions.
4. Once all Java components are removed, reboot your computer.

Once rebooted, download and install the latest version of Java Runtime Environment (JRE) 6u2 by following these steps:
1. Go to http://java.sun.com/...loads/index.jsp.
2. Scroll down to where it says "Java Runtime Environment (JRE) 6u2 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
3. Click the Download button to the right.
4. Review the License Agreement and then select the radio button labelled "Accept License Agreement".
The page will refresh.
5. Click on the link to download the Windows Offline Installation and save the file to your Desktop.
6. From your Desktop, double-click the jre-6u2-windows-i586-p.exe file to install the newest version.

Step #3: Generate an uninstall list
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.
NOTE: If you are still not able to create an uninstall list using the instructions listed above, then please just continue and let me know. We will then try an alternative approach.

Step #4: Rename HijackThis
Occasionally malware hides itself from HijackThis. Navigate to C:\Program Files\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter.

Step #5: Rescan with HijackThis
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log.
________________________________________________________________________________

So in your next reply, please post the entire contents of:
- the created uninstall list (uninstall_list.txt)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

#5
alan blueh0le

Posted 02 September 2007 - 08:28 AM

Member

Topic Starter
Member
31 posts

Step #3: Generate an uninstall list
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.
NOTE: If you are still not able to create an uninstall list using the instructions listed above, then please just continue and let me know. We will then try an alternative approach.

Everything went well until this point. When I try to save the uninstall list, HijackThis just closes and nothing gets saved. Would it be acceptable for me to do a screen capture of the list? Or do you have another idea?

Thanks very much.

#6
alan blueh0le

Posted 02 September 2007 - 08:05 PM

Member

Topic Starter
Member
31 posts

#7
alan blueh0le

Posted 03 September 2007 - 03:11 PM

Member

Topic Starter
Member
31 posts

FLUFFYBUNNY LOG

Logfile of HijackThis v1.99.1
Scan saved at 2:10:28 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Crestron\RoomView\RoomService.exe
C:\Crestron\RoomView\roomsock.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.pcc.edu/l...licies/aup.htm"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
O1 - Hosts: 209.152.38.50 lrc10nwfs
O1 - Hosts: 209.152.38.50 pcc_lrc_instructional
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11BC41F3-BE3E-4C1E-AEAA-1A8D7F129A1F} - C:\WINDOWS\system32\hgghe.dll
O2 - BHO: (no name) - {1E5D1C82-49D3-4B26-8BD5-7D604D8B0726} - C:\WINDOWS\system32\bjbvwrvx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {853C193D-5087-4306-9C08-014DBFDE1996} - C:\Program Files\MSN Gaming Zone\safem.dll (file missing)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: (no name) - {CDE5A128-36C8-6849-BA5F-3976651F0CC2} - C:\WINDOWS\system32\wkox.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - (no file)
O2 - BHO: 0 - {ED6AA0D3-7755-4FC2-FAB5-D084152A5E01} - C:\Program Files\Windows NT\woquget.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\lwqtxyju.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\YMBOLS~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Xrvfohei] "C:\Program Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Ysjnmvvq] "C:\Documents and Settings\user\Application Data\??crosoft.NET\w?nspool.exe"
O4 - HKCU\..\Run: [zimz] C:\PROGRA~1\COMMON~1\zimz\zimzm.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\nwinspdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - https://view.pcc.edu...iator/jinit.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hgghe - C:\WINDOWS\system32\hgghe.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayvurp - yayvurp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qkkkkgxg.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoomView License Manager (RoomService) - Unknown owner - C:\Crestron\RoomView\RoomService.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe

#8
alan blueh0le

Posted 03 September 2007 - 09:42 PM

Member

Topic Starter
Member
31 posts

Fluffy-B lets me copy uninstall:

Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album
Adobe Reader 6.0.1
ALPS Touch Pad Driver
AmpWare PC
AR System User 5.1
ATI Control Panel
ATI Display Driver
AVG 7.5
AVG Anti-Spyware 7.5
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
COMODO Firewall Pro
Conexant D480 MDC V.9x Modem
Crestron Database v17.3
Crestron RoomView v6.0
Dell Solution Center
Digital Line Detect
DVDSentry
EPSON Printer Software
Film Factory
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Intel® PROSet/Wireless Software
InterActual Player
InterVideo WinDVD
Java™ 6 Update 2
K-Lite Codec Pack 3.3.0 Full
Kodak Memory Albums
Macromedia Shockwave Player
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Mindjet MindManager Pro 6
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (2.0.0.6)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MT-1000 Components
mWlsSafe
mZConfig
NetIdentity 1.2.3
Netscape (7.2)
NetWaiting
NICI (Shared) U.S./Worldwide (128 bit) (2.6.8-2)
NMAS Client (3.1.0.8)
Novell Client for Windows
Oracle JInitiator 1.3.1.21
Panda ActiveScan
PDF-XChange 3.0
Privoxy 3.0.6
QuickSet
QuickTime
QVT/Term
RealFlight G3 R/C Simulator
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SIMPL Windows Library v352
SIMPL Windows v2.06
SIMPL+ Cross Compiler
SUPER © Version 2007.bld.23 (July 4, 2007)
SUPERAntiSpyware Free Edition
Tor 0.1.2.16
Trillian
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Vidalia 0.0.13
Viewpoint Media Player (Remove Only)
Viewport v3.99.01
VisionTools Pro-e v3.3
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
ZipCentral 4.01

#9
htv8

Posted 05 September 2007 - 04:56 AM

Member

Member
110 posts

Hello again.

Good job in getting that uninstall list! Let's continue. :whistling:

________________________________________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Uninstall a Potentially Unwantend Program (PUP)
I see Viewpoint installed. Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.
I strongly recommend removing Viewpoint. If you agree, go to Start > Control Panel > Add/Remove Programs and uninstall Viewpoint Media Player.

Step #2: Download and run VundoFix to get rid of Vundo
You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #3: Rescan with HijackThis
Scan with HijackThis and post a new HijackThis log.
________________________________________________________________________________

So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

#10
alan blueh0le

Posted 05 September 2007 - 10:28 AM

Member

Topic Starter
Member
31 posts

VundoFix V6.5.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 9:05:06 AM 9/5/2007

Listing files found while scanning....

C:\windows\system32\ehggh.bak1
C:\WINDOWS\system32\ehggh.bak2
C:\WINDOWS\system32\ehggh.ini
C:\WINDOWS\system32\ehggh.ini2
C:\WINDOWS\system32\ehggh.tmp
C:\WINDOWS\system32\hgghe.dll
C:\WINDOWS\system32\lwqtxyju.dll

Beginning removal...

Attempting to delete C:\windows\system32\ehggh.bak1
C:\windows\system32\ehggh.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehggh.bak2
C:\WINDOWS\system32\ehggh.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehggh.ini
C:\WINDOWS\system32\ehggh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehggh.ini2
C:\WINDOWS\system32\ehggh.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehggh.tmp
C:\WINDOWS\system32\ehggh.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgghe.dll
C:\WINDOWS\system32\hgghe.dll Has been deleted!

Performing Repairs to the registry.
Done!

#11
alan blueh0le

Posted 05 September 2007 - 10:31 AM

Member

Topic Starter
Member
31 posts

Logfile of HijackThis v1.99.1
Scan saved at 9:30:08 AM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Crestron\RoomView\RoomService.exe
C:\Crestron\RoomView\roomsock.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.pcc.edu/l...licies/aup.htm"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\tgcbr943.slt\prefs.js)
O1 - Hosts: 209.152.38.50 lrc10nwfs
O1 - Hosts: 209.152.38.50 pcc_lrc_instructional
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11BC41F3-BE3E-4C1E-AEAA-1A8D7F129A1F} - C:\WINDOWS\system32\hgghe.dll (file missing)
O2 - BHO: (no name) - {1E5D1C82-49D3-4B26-8BD5-7D604D8B0726} - C:\WINDOWS\system32\bjbvwrvx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {853C193D-5087-4306-9C08-014DBFDE1996} - C:\Program Files\MSN Gaming Zone\safem.dll (file missing)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: (no name) - {CDE5A128-36C8-6849-BA5F-3976651F0CC2} - C:\WINDOWS\system32\wkox.dll
O2 - BHO: 0 - {ED6AA0D3-7755-4FC2-FAB5-D084152A5E01} - C:\Program Files\Windows NT\woquget.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\YMBOLS~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Xrvfohei] "C:\Program Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Ysjnmvvq] "C:\Documents and Settings\user\Application Data\??crosoft.NET\w?nspool.exe"
O4 - HKCU\..\Run: [zimz] C:\PROGRA~1\COMMON~1\zimz\zimzm.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\nwinspdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - https://view.pcc.edu...iator/jinit.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayvurp - yayvurp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qkkkkgxg.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoomView License Manager (RoomService) - Unknown owner - C:\Crestron\RoomView\RoomService.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe

THANKS FOR YOUR HELP SO FAR! -- Alan

#12
htv8

Posted 07 September 2007 - 03:17 AM

Member

Member
110 posts

Hello again, alan blueh0le.
________________________________________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Upload malware to UploadMalware.com for analysis
Please go to UploadMalware.com and follow these steps to submit malware to UploadMalware.com for analysis:
1. In the Name: field, please enter the display name you use on this forum.
2. In the Link to Your Topic: field, please copy/paste the entire link to this topic.
3. Click the first Browse… button (located next to File(s) To Submit:).
4. Navigate to this file that I want you to submit (if it is present): C:\WINDOWS\system32\lwqtxyju.dll
5. Click Open.
6. Using the second, third and fourth Browse... buttons, do the same for these files (if they are present):
C:\WINDOWS\system32\bjbvwrvx.dll
C:\WINDOWS\system32\wkox.dll
C:\WINDOWS\system32\yayvurp.dll
5. In the Comments and Further Info: field, please mention that I asked you to upload this file.
6. Click the Send File(s) button to submit the file(s) found.

Step #2: Use the "Add more files?" option within VundoFix to add not yet detected Vundo files for removal
Download the most recent version of VundoFix to your Desktop. Remove any old copies of VundoFix you may have saved. It is important to have the most recent version as VundoFix is updated almost daily.
Download VundoFix.exe

Now please follow these steps:
1. Double-click VundoFix.exe to run VundoFix.
2. When VundoFix opens, click the Scan for Vundo button.
3. Once the scan is complete, right-click inside the list box (white box) in the main VundoFix window.
4. Select the option labelled "Add more files?" from the menu that comes up. This will open a new VundoFix window.
5. In that window, copy the entire file path inside the CODE box below and paste it into the first (top) field provided:

C:\WINDOWS\system32\lwqtxyju.dll

6. Copy the entire file path inside the CODE box below and paste it into the second field provided:

C:\WINDOWS\system32\bjbvwrvx.dll

7. Copy the entire file path inside the CODE box below and paste it into the third field provided:

C:\WINDOWS\system32\wkox.dll

8. Copy the entire file path inside the CODE box below and paste it into the fourth field provided:

C:\WINDOWS\system32\yayvurp.dll

9. Click the Add File(s) button.
10. Click the Close Window button.
11. Click the Remove Vundo button.
12. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
13. When completed, it will prompt that it will shut down your computer. Click OK.
14. Turn your computer back on.
15. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #3: Download and run ComboFix
Please download ComboFix and save it to your Desktop.
Download ComboFix (ComboFix.exe)

When the file has finished downloading, double-click ComboFix.exe to launch the application and follow the on-screen prompts.
When finished, it shall produce a log for you: ComboFix.txt. Post that log in your next reply.

NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!

Step #4: Rescan with HijackThis
Scan with HijackThis again and post a new HijackThis log.
________________________________________________________________________________

So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- ComboFix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.