Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Surprise: another Virtumonde/Winfixer victim [RESOLVED]

Started by fyvel , Sep 25 2005 07:36 PM

  • This topic is locked This topic is locked

#1
fyvel
Posted 25 September 2005 - 07:36 PM

fyvel

    New Member

  • Member
  • Pip
  • 8 posts
:tazz: This thing has been consuming my life. I am ready to wipe my hard drive clean (actually it would have been a lot easier and quicker!!).

I have tried AVG, Microsoft Antispyware, Ad-Aware, Spybot S&D, FixVundo.exe, FxMonde.exe (none of them even detected it). SpySweeper detected it and will remove it but it just comes back (if I run a scan right after removing it, it still is there). Trojan Hunter and Ewido supposedly "remove" it as well. But it is still there. Driving me nuts.

I did everything as stated here: http://www.geekstogo..._Log-t2852.html

Except for the CWShredder, which I downloaded twice : it wouldn't run either time.

I have attached both the Ewido and HiJackThis reports.

Any help would be greatly appreciated!!!! :)

Attached Files


  • 0

Advertisements

#2
Trevuren
Posted 25 September 2005 - 07:41 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fyvel and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please repost your logs by pasting them into the thread. Please do not use the attachment feature unless requested to do do.

Thanks,

Trevuren
  • 0

#3
fyvel
Posted 25 September 2005 - 07:46 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Trevuren:

Thank you for your quick reply :tazz:

My apologies for the attachments, here are the copied/pasted logs:

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:08:22 PM, 25/09/2005
+ Report-Checksum: F4FDD487

+ Scan result:

:mozilla.16:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.17:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.29:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.59:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.68:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.69:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.97:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.108:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.139:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.140:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.141:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.142:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.143:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.144:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.145:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.146:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.148:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.149:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.150:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.151:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.152:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.177:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.179:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.186:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.187:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.188:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.190:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.191:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.192:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.193:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.227:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.230:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Directnetadvertising : Cleaned with backup
:mozilla.231:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Directnetadvertising : Cleaned with backup
:mozilla.232:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Directnetadvertising : Cleaned with backup
:mozilla.245:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.253:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.254:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.255:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.256:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.257:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.258:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.259:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.260:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.261:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.265:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.268:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.270:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.284:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.285:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.305:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.306:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.307:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.308:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.320:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.321:C:\Documents and Settings\~Mandy~\Application Data\Mozilla\Firefox\Profiles\9m6lqc7m.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\msagent\chars\tcpdos.dll -> Spyware.Virtumonde : Cleaned with backup


::Report End







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:41:51 PM, on 25/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\chars\tcpdos.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpdos - C:\WINDOWS\msagent\chars\tcpdos.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

#4
Trevuren
Posted 25 September 2005 - 07:54 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. We must disable SpySweeper

To disable SpySweeper:
  • Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
  • Over to the left click "shields" and uncheck all there.
  • Uncheck "home page shield".
  • Uncheck 'automaticly restore default without notification
B. Please also disable EwidoGuard.

C.
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\chars\tcpdos.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O20 - Winlogon Notify: tcpdos - C:\WINDOWS\msagent\chars\tcpdos.dll (file missing)

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren
  • 0

#5
fyvel
Posted 25 September 2005 - 08:07 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:06:02 PM, on 25/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




It is hard to tell if it is really gone without running SpySweeper (or another program). I thought it was gone after running ewido and trojan hunter because there were no pop ups on start up, but a spysweeper scan showed that it was still there. It seems to be so random and variable...

I hope this looks good (or at least better than last time)

At any rate, thanks again. I really appreciate this.
  • 0

#6
Trevuren
Posted 25 September 2005 - 08:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. Please run SpySweeper again and note the presence/absence of the trojan. Take down the full path or Register keys involved. After analysing the results, we may be able to proceed to final cleanup.

Trevuren
  • 0

#7
fyvel
Posted 25 September 2005 - 09:51 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hmmm. Ok, ran a spysweeper scan. It came up with 13 traces of Virtumonde (much less than the 30+ it has been getting all along). I went too far and quarantined them before I checked out where exactly they were in the system. So I scanned again and there is nothing there. This is the first time a scan has come up clean since I got this bug. Any other time I scanned right after getting rid of it through spysweeper, they were back again, just like that. Not this time. I hope that means it is gone.

It's after midnight here and I am going to bed. Will try this out again tomorrow afternoon and see what happens. Crossing my fingers and hoping that it is gone for good. :tazz:

Thank you very much :)
  • 0

#8
Trevuren
Posted 25 September 2005 - 10:10 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Before re-scanning with SpySweeper, reboot your machine 3-4 times to give it the best chance possible of returning if that is what it is going to do..

Have a good night,

Trevuren
  • 0

#9
fyvel
Posted 26 September 2005 - 12:57 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Trevuren;

I rebooted and rescanned it this morning - still nothing. I am also running Ewido and Trojan Hunter (the other two programs that picked it up before) to see if they can find anything. If they don't, I will try rebooting it a few more times and then rescanning.

Crossing my fingers and hoping for the best.

Thank you so much for all of your help, it is very much appreciated!!!!
  • 0

#10
fyvel
Posted 26 September 2005 - 06:47 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
:) Ok after multiple reboots and multiple scans, I have come to the conclusion that this thing is dead. I wish I had come to this site before I wasted my day trying to get rid of it!

Great site, I will definitely recommend it to anyone having difficulties.

Thank you Trevuren!! :tazz:
  • 0

Advertisements

#11
Trevuren
Posted 26 September 2005 - 06:54 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please post a fresh HJT log for review so we can commence final but essential cleanup procedures.

Regards,

Trevuren
  • 0

#12
fyvel
Posted 26 September 2005 - 07:00 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here it is....


Logfile of HijackThis v1.99.1
Scan saved at 9:59:57 PM, on 26/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{177C387C-2F6F-4000-90AA-DD10F468FC9A}: NameServer = 142.177.1.2 142.177.129.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

#13
Trevuren
Posted 26 September 2005 - 07:17 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren
  • 0

#14
fyvel
Posted 26 September 2005 - 07:26 PM

fyvel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you!!
  • 0

#15
Trevuren
Posted 26 September 2005 - 07:27 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
My Pleasure


Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP