Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Integrity threat detected

Started by asifdaman505 , Sep 02 2007 01:02 PM

  • Please log in to reply

#1
asifdaman505
Posted 02 September 2007 - 01:02 PM

asifdaman505

    New Member

  • Member
  • Pip
  • 4 posts
Alright, I was away at work and when I come home my brothers as usual give me some bad news ("The computer is acting stupid") from something they did. It says integrity threat detected and that I need this Ultimate Fixers and stuff to fix it which I know is BS. It's slowing down my computer on startup and messing with my browsers. Heres my log.

Logfile of HijackThis v1.99.1
Scan saved at 1:56:16 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Asif\LOCALS~1\Temp\tmpEE.tmp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\regsvr32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SecCenter\scprot4.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Asif\Local Settings\Temp\wza2cf\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Jbuuotlv\jqjvzskt.dll
O2 - BHO: (no name) - {5621007F-BBEE-4674-8077-94C3591DE7C3} - C:\WINDOWS\system32\vtusrss.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91207231-8B35-4D5D-BD9C-9D7AE87BCF71} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\pyrsjrkq.dll
O2 - BHO: (no name) - {C666CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AudioDeck] "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win60E.tmp.exe
O4 - HKLM\..\Run: [cbinanmt] "rundll32.exe" "C:\Program Files\xwvebkla\fmpivepq.dll",Init
O4 - HKLM\..\Run: [SC2] "C:\Program Files\SecCenter\scprot4.exe"
O4 - HKLM\..\Run: [pudmforw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pudmforw.dll"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [nypqxglc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nypqxglc.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .htm: C:\Program Files\\Netscape\\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtes...GenXInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddayyyw.dll
O20 - Winlogon Notify: comesh - comesh.dll (file missing)
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: vtusrss - C:\WINDOWS\SYSTEM32\vtusrss.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DomainService - - C:\DOCUME~1\Asif\LOCALS~1\Temp\tmpEE.tmp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Apperciate it guys
  • 0

Advertisements

#2
Noviciate
Posted 02 September 2007 - 04:14 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
1) You are running an old version of HJT. Download a copy of HJTInstall.exe from here and save it to your Desktop
  • Double click HJTInstall.exe to begin installation.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to chose somewhere else and then click Install
  • Once HJT has installed, a shortcut will be created on your Desktop and HJT will open automatically.
  • You will need to accept the EULA, if it appears, to be able to use the tool.
  • Close the program as you won't need to use it yet.
Do this BEFORE you proceed!

2) Download Combofix by sUBs from here and save it to your Desktop.
  • Double click combo.exe to run it and follow the prompts.
  • Please Note: This may require the PC to be rebooted so close any programs you have open before you start.
  • When the tool has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Please Note:
  • Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
  • Disable Script Blocking if you have NAV installed as it will interfere with the normal working of this tool.
  • Should any security program warnings appear, ignore them as they are false-positives - this tool isn't malicious.
3) Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

  • 0

#3
asifdaman505
Posted 02 September 2007 - 04:52 PM

asifdaman505

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 07-08-30.3 - "Asif" 2007-09-02 17:25:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Asif\APPLIC~1\FunWebProducts
C:\DOCUME~1\Asif\APPLIC~1\macromedia\Flash Player\#SharedObjects\QA3QW49Q\www.broadcaster.com
C:\DOCUME~1\Asif\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Asif\err.log
C:\onoes.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\setup.exe
C:\WA6P
C:\WINDOWS\DOWNLO~1\UERT_0001_D19M2109NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWA6P_0001_N68M2301NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWAS6_0001_N91M1508NetInstaller.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\cyirqvnk.exe
C:\WINDOWS\system32\drsmartload197a.exe
C:\WINDOWS\system32\ghsstetw.exe
C:\WINDOWS\system32\hpiajmmo.dll
C:\WINDOWS\system32\lvplhopj.exe
C:\WINDOWS\system32\mc-110-12-0000482.exe
C:\WINDOWS\system32\ndvmitiu.exe
C:\WINDOWS\system32\ommjaiph.ini
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\pyrsjrkq.dll
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tmp186.tmp.dll
C:\WINDOWS\system32\tmp338.tmp.dll
C:\WINDOWS\system32\tmp50.tmp.dll
C:\WINDOWS\system32\tmp84.tmp.dll
C:\WINDOWS\system32\tmpB0.tmp.dll
C:\WINDOWS\system32\tmpC4.tmp.dll
C:\WINDOWS\system32\tmpDA.tmp.dll
C:\WINDOWS\system32\tmpF2.tmp.dll
C:\WINDOWS\system32\tmpF9.tmp.dll
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\vtusrss.dll
C:\WINDOWS\winlogon.exe
C:\WINDOWS\yaabyy.dll
C:\WINDOWS\yybaay.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-02 17:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-02 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-01 15:55 <DIR> d-------- C:\Program Files\GoldWave
2007-09-01 14:12 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-09-01 14:11 <DIR> d-------- C:\WINDOWS\system32\athan
2007-09-01 14:11 <DIR> d-------- C:\Program Files\Athan
2007-09-01 13:04 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\nypqxglc.dll
2007-09-01 13:04 <DIR> d-------- C:\Program Files\Jbuuotlv
2007-09-01 13:04 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Real
2007-09-01 12:16 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-01 12:16 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-08-31 18:55 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-31 18:55 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-31 18:55 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-31 18:55 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-31 18:54 <DIR> d-------- C:\Program Files\Webroot
2007-08-31 18:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-31 18:53 164 --a------ C:\install.dat
2007-08-31 18:53 <DIR> d-------- C:\DOCUME~1\Asif\APPLIC~1\Webroot
2007-08-31 00:26 9,216 --a------ C:\WINDOWS\system32\ffnd.exe
2007-08-30 16:06 <DIR> d-------- C:\WINDOWS\system32\wowrlegl
2007-08-30 16:05 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pudmforw.dll
2007-08-30 16:05 <DIR> d-------- C:\Program Files\Dpkhqjoe
2007-08-29 14:36 1,756,563 --ahs---- C:\WINDOWS\system32\vyadd.bak2
2007-08-28 15:52 6,448 --ahs---- C:\WINDOWS\system32\vyadd.bak1
2007-08-28 15:47 93,696 --a------ C:\WINDOWS\system32\drvmak.dll
2007-08-28 15:47 15,360 --a------ C:\WINDOWS\system32\drvmakr.dll
2007-08-28 15:47 <DIR> d-------- C:\Program Files\xwvebkla
2007-08-26 15:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-26 15:07 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-26 15:02 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-08-26 14:17 <DIR> d-------- C:\Program Files\Best Buy Rhapsody
2007-08-25 00:31 <DIR> d-------- C:\DOCUME~1\Asif\APPLIC~1\DivX
2007-08-25 00:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-08-17 11:57 <DIR> d-------- C:\Program Files\FreeFixer
2007-08-17 11:54 <DIR> d-------- C:\Program Files\Bazooka Scanner
2007-08-16 17:21 3,804 --a------ C:\qiypa.exe
2007-08-13 14:08 <DIR> d-------- C:\Program Files\Qualcomm
2007-08-13 13:57 <DIR> d-------- C:\DOCUME~1\Asif\APPLIC~1\RecordPad
2007-08-13 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2007-08-10 22:47 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-08-10 22:47 <DIR> d-------- C:\DOCUME~1\Asif\APPLIC~1\NCH Swift Sound


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 16:40 --------- d-------- C:\DOCUME~1\Asif\APPLIC~1\LimeWire
2007-08-31 12:54 --------- d-------- C:\Program Files\iTunes
2007-08-28 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 17:58 --------- d-------- C:\Program Files\Real
2007-08-26 17:13 --------- d-------- C:\Program Files\LimeWire
2007-08-26 15:02 --------- d-------- C:\DOCUME~1\Asif\APPLIC~1\Real
2007-08-25 00:30 --------- d-------- C:\Program Files\DivX
2007-08-19 11:31 --------- d-------- C:\DOCUME~1\Asif\APPLIC~1\Yahoo!
2007-08-16 17:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-11 16:47 --------- d-------- C:\Program Files\Yahoo!
2007-08-11 16:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-26 20:26 --------- d-------- C:\Program Files\MAIET
2007-07-25 22:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 21:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 21:53 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-25 21:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 21:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 21:53 120056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 21:53 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 21:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 21:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 21:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 21:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 21:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 21:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 21:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 21:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 21:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 21:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 21:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 21:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 21:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 21:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-11 20:07 --------- d-------- C:\Program Files\Incomplete
2007-03-15 21:38 114 --a------ C:\DOCUME~1\Asif\hhjj.bat
2007-03-15 21:37 128 --a------ C:\DOCUME~1\Asif\install.exe
2007-03-15 20:31 32768 --a------ C:\DOCUME~1\Asif\setup9x.exe
2007-02-08 20:57 32768 --a------ C:\DOCUME~1\Asif\stup9x.exe
2007-02-08 20:57 190 --a------ C:\DOCUME~1\Asif\ggg.bat
2007-02-05 16:51 128 --a------ C:\DOCUME~1\Asif\hhhl.exe
2007-02-05 16:50 32768 --a------ C:\DOCUME~1\Asif\setup.exe
2006-03-31 13:40 484560 --a------ C:\DOCUME~1\directx\DXSETUP.exe
2006-03-31 13:40 2248912 --a------ C:\DOCUME~1\directx\dsetup32.dll
2006-03-31 13:39 74448 --a------ C:\DOCUME~1\directx\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]
2007-09-01 13:04 98304 --a------ C:\Program Files\Jbuuotlv\jqjvzskt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91207231-8B35-4D5D-BD9C-9D7AE87BCF71}]
C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C666CF63-767F-4831-94AC-E683D962C63C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-05-19 10:30]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 13:59 C:\WINDOWS\SOUNDMAN.EXE]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-07-09 13:42]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-03-07 15:07]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-03-07 15:05]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-01 17:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"cbinanmt"="rundll32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"pudmforw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\pudmforw.dll" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"nypqxglc"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\nypqxglc.dll" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ConfirmFileDelete"=0 (0x0)
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoResolveTrack"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comesh]
comesh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayv]
C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddayyyw.dll

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 AIDA32Driver;AIDA32Driver;\??\C:\Documents and Settings\Asif\Desktop\Aida32\aida32.sys
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 VNICPKT5;VNICPKT5 Protocol Driver;\??\C:\WINDOWS\system32\VNICPKT5.SYS
S3 XDva009;XDva009;\??\C:\WINDOWS\system32\XDva009.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService LmHosts upnphost SSDPSRV

*Newly Created Service* - ERSVC

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 17:42:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-02 17:42:58
C:\ComboFix-quarantined-files.txt ... 2007-09-02 17:42

--- E O F ---


heres my hijacklog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:32 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Jbuuotlv\jqjvzskt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91207231-8B35-4D5D-BD9C-9D7AE87BCF71} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {C666CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AudioDeck] "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cbinanmt] "rundll32.exe" "C:\Program Files\xwvebkla\fmpivepq.dll",Init
O4 - HKLM\..\Run: [pudmforw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pudmforw.dll"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [nypqxglc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nypqxglc.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .htm: C:\Program Files\\Netscape\\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtes...GenXInstall.cab
O20 - AppInit_DLLs: c:\windows\system32\ddayyyw.dll
O20 - Winlogon Notify: comesh - comesh.dll (file missing)
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://www.md9-studi...walls/tmac3.jpg

--
End of file - 7846 bytes


and the uninstall

Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.8
AIM 6
Apple Software Update
Bazooka Scanner
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
EPSON Scan
Express Burn
FreeFixer
GoldWave v5.20
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
iPod for Windows 2006-03-23
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 7
LimeWire PRO 4.14.0
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mixman StudioPro (Free Version)
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (2.0.0.6)
MSN Music Assistant
Netscape Browser (remove only)
NVIDIA Drivers
PowerDVD
ProgramChecker
PureVoice
QuickTime
RealPlayer
Realtek AC'97 Audio
RecordPad Sound Recorder
SBC Yahoo! DSL Home Networking Installer
Security Update for Windows Media Player (KB911564)
Sony Picture Utility
Sony USB Driver
Spy Sweeper
Spybot - Search & Destroy 1.4
Switch
Total Control
VIA NICSET
VIA Platform Device Manager
VideoLAN VLC media player 0.8.5
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WavePad Uninstall
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
WinRAR archiver
WinZip
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
ZoneAlarm


doesnt seem like they'res any problems now :whistling:
  • 0

#4
Noviciate
Posted 03 September 2007 - 12:57 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts

There's just a little tidying up to do.

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of AVG Anti-Spyware 7.5 from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0.
Taken from the Ewido website -

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the avgas-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
  • Under "Reports:" click the radio button to the left of "Do not automatically generate reports".
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG A-S will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Jbuuotlv\jqjvzskt.dll
O2 - BHO: (no name) - {91207231-8B35-4D5D-BD9C-9D7AE87BCF71} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {C666CF63-767F-4831-94AC-E683D962C63C} - (no file)

O4 - HKLM\..\Run: [cbinanmt] "rundll32.exe" "C:\Program Files\xwvebkla\fmpivepq.dll",Init
O4 - HKLM\..\Run: [pudmforw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pudmforw.dll"
O4 - HKLM\..\Run: [nypqxglc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nypqxglc.dll"

O20 - AppInit_DLLs: c:\windows\system32\ddayyyw.dll
O20 - Winlogon Notify: comesh - comesh.dll (file missing)
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

6) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG Anti-Spyware.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close AVG Anti-Spyware.

7) Remove any/all of the following files/folders that you can find:

Files

C:\Documents and Settings\All Users\Application Data\pudmforw.dll
C:\Documents and Settings\All Users\Application Data\nypqxglc.dll

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

Folders

C:\Program Files\Jbuuotlv
C:\Program Files\xwvebkla

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'

8) Boot into Normal Mode.

Post a new HJT log, the AVG log AND a description of how your PC is running.


Please ignore my use of the "Quote" tags - if someone would fix this forum glitch, I wouldn't need to use them. You shouldn't be affected, so don't worry.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP