[kilp]

open brower and after a while popup just pop up and when i try to close it other popup pop out. When I try run the Trend Micro it detect three infected file but it can only repair one other two cannot be access, these two are "java bytever.a and troj crypt.n

here my log

Logfile of HijackThis v1.99.1
Scan saved at 8:41:58 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Download Files\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38601471-64AE-4519-853A-FFCE890B52D3}: NameServer = 206.47.244.104 206.47.199.155
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\wangfamily\Desktop\CWShredder.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Hi kilp and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Please print these instructions out for use in Safe Mode.

Also note, one must be either logged in under the Administrator account or have administrator privileges to be able to successfully complete these procedures

1. Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please REBOOT your computer into Safe Mode.
  
  You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  
  
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  

• At this point press enter one time.
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  • C:\WINDOWS\system32\ssqrq.dll
  
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  C:\WINDOWS\system32\qrqss.*
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

2. The fix will run then HijackThis will open.

• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  
  
  • O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ssqrq.dll
    O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
  
  
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

3. Download and install CleanUp!

• Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• Set the program up as follows:
• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following (Make sure nothing else is checked!):
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

[*]Click OK
[*]Press the CleanUp! button to start the program.
[*]It may ask you to reboot at the end, click NO.
[/list]4. Please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Regards,

Trevuren

[Trevuren]

Hi kilp and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Please print these instructions out for use in Safe Mode.

Also note, one must be either logged in under the Administrator account or have administrator privileges to be able to successfully complete these procedures

1. Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please REBOOT your computer into Safe Mode.
  
  You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  
  
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  

• At this point press enter one time.
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  • C:\WINDOWS\system32\ssqrq.dll
  
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  C:\WINDOWS\system32\qrqss.*
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

2. The fix will run then HijackThis will open.

• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  
  
  • O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ssqrq.dll
    O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
  
  
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

3. Download and install CleanUp!

• Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• Set the program up as follows:
• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following (Make sure nothing else is checked!):
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

[*]Click OK
[*]Press the CleanUp! button to start the program.
[*]It may ask you to reboot at the end, click NO.
[/list]4. Please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Regards,

Trevuren

[kilp]

thankyou for your time to help me out here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 11:44:25 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Download Files\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38601471-64AE-4519-853A-FFCE890B52D3}: NameServer = 206.47.244.104 206.47.199.155
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\wangfamily\Desktop\CWShredder.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



HERE THE RESULT OF ACTIVE SCAN


Incident Status Location

Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\conscorr.inf
Spyware:spyware/localnrd No disinfected C:\WINDOWS\INF\localNrd.inf
Spyware:spyware/searchcentrix No disinfected Windows Registry
Dialer:dialer.yc No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{c89bb48c-15d9-4f4f-803e-95d90f62be62}
Adware:adware/cleangetaway No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}
Adware:adware/alexa-toolbar No disinfected Windows Registry
Dialer:dialer.du No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
Adware:adware/sidesearch No disinfected Windows Registry
Dialer:dialer.dk No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2048B51E-8D74-4762-82CE-B48CF545EEEA}
Adware:adware/xupiter No disinfected Windows Registry
Dialer:dialer.db No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{03FBB191-FB50-4154-91D7-587D5E3C3C9A}
Adware:adware/lop No disinfected Windows Registry
Dialer:dialer.bb No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0191ABF4-9421-435E-9FFD-CD827A2A82D8}
Adware:adware/xplugin No disinfected Windows Registry
Dialer:dialer.b No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CEFB7B49-9652-464F-8AFD-A577C0500F39}
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6d048d26-4c4b9464.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6d048d26-4c4b9464.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6d048d26-4c4b9464.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6d048d26-4c4b9464.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.RB0[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.RB0[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.RB0[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.RB0[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wangfamily\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-9275328-2ea24cd6.zip[Dummy.class]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNrd.inf
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\ounist.exe.tcf
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\proxya.exe.tcf
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\system32\c.bat
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhhf.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\mljgd.dll
AND HERE THE VUNDOFIC TEXT


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 132 'smss.exe'
Threads [136][140][144]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 732 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 204 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

[Trevuren]

The Vundo Fix was a success as usual. Time to do a cleanup of the rest of your system and we will finish with your log.

1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

• Download Ad-Aware SE Personal 1.06:
  • Download Ad-Aware SE Personal 1.06.
  • Save aawsepersonal.exe to a convenient location.
• Install Ad-Aware SE Personal 1.06:
  • Double-click on aawsepersonal.exe to install the program.
  • Follow the default settings for installation.
  • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
• Update Ad-Aware SE Personal 1.06:
  • Double-click the Ad-Aware SE Personal icon on your desktop.
  • Click "Check for updates now" then click "Connect".
  • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
• Configure Ad-Aware SE Personal 1.06:
  • Click on the Gear button at the top of the window.
  • Click "General" on the left hand side to display the General Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Automatically save logfile"
      • "Automatically quarantine objects prior to removal"
      • "Safe Mode (always request confirmation)"
      • "Prompt to update outdated definitions" - change to 7 days from the default 14.
  • Click "Scanning" on the left hand side to display the Scan Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Scan within archives"
    • "Select drives & folders to scan" - select your hard drive(s).
    • "Scan active processes"
    • "Scan registry"
    • "Deep-scan registry"
    • "Scan my IE favorites for banned URLs"
    • "Scan my Hosts file"
  • Click "Advanced" on the left hand side to display the Advanced Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Move deleted files to Recycle Bin"
    • "Include additional object information"
    • "Include negligible objects information"
    • "Include environment information"
  • Click "Defaults" on the left hand side to display the Default Settings box.
    • Make sure these items have your preferred settings in them.:
    • "Default homepage"
    • "Default searchpage"
  • Click "Tweak" on the left hand side to display the Tweak Settings box.
    • Click the + (plus) sign next to the Log Files section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Include basic Ad-Aware settings in log file"
      • "Include additional Ad-Aware settings in log file"
      • "Include reference summary in log file"
      • "Include alternate data stream details in log file"
    • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Unload recognized processes & modules during scan"
      • "Scan registry for all users instead of current user only"
      • "Obtain command line of scanned processes"
    • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Always try to unload modules before deletion"
      • "During removal, unload Explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot"
      • "Delete quarantined objects after restoring"
  • Once you are done with these settings, click "Proceed" to save them.
  • This will take you back to the main screen.
• Run Ad-Aware SE Personal 1.06:
  • Click the "Start" button.
  • Uncheck the "Search for negligible risk entries" entry.
  • Choose the "Use custom scanning options" scan mode.
  • Click the "Next" button.
  • Ad-Aware will begin to scan for malware residing on your computer.
  • Allow the scan to finish.
  • Right-click on any entry in the list and click "Select All" to select the whole list.
  • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

• Please download ewido security suite it is a trial version of the program.
  
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed.
• Once the updates are installed do the following:
  • REBOOT into Safe Mode
  • Run EWIDO
  • Click on scanner
  • Click on Start Scan
  • Let the program scan the machine
  • While the scan is in progress you will be prompted to clean files, click OK
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
• Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Regards,

Trevuren

[kilp]

Here the new HJT log



Logfile of HijackThis v1.99.1
Scan saved at 10:03:25 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Download Files\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38601471-64AE-4519-853A-FFCE890B52D3}: NameServer = 206.47.244.104 206.47.199.155
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\wangfamily\Desktop\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Here the ewido. txt log



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:40:25 PM, 10/9/2005
+ Report-Checksum: F606DE7C

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
C:\WINDOWS\ounist.exe.tcf -> TrojanDownloader.IstBar.er : Cleaned with backup
C:\WINDOWS\proxya.exe.tcf -> TrojanDownloader.IstBar.er : Cleaned with backup
C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\system32\jkhhf.dll -> Trojan.Crypt.o : Cleaned with backup
C:\WINDOWS\system32\mljgd.dll -> Trojan.Crypt.o : Cleaned with backup


::Report End

[Trevuren]

Don't worry about the Virtumonde references. They are orphaned registry entries. Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren

[kilp]

Yeah, I think everything is OK

[Trevuren]

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:

• Click Start. Open My Computer.
• Select the Tools menu and click Folder Options. Select the View Tab.
  
• Under the Hidden files and folders heading deselect "Show hidden files and folders".
• Check the "Hide protected operating system files (recommended)" option.
• Click Yes to confirm. Click OK.

2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

• Right-click "My Computer", and then left click "Properties".
• Left click on "System Restore Tab"
• Check box beside "Turn Off System Restore"
• Left click on "Apply"

TO ENABLE SYSTEM RESTORE

• Remove check mark from "Turn Off System Restore"
• Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.