Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Vundo identified by Symantic AV


  • Please log in to reply

#1
ruegemeraa

ruegemeraa

    Member

  • Member
  • PipPip
  • 17 posts
Sorry this not in text format - login timed out and saved as a word doc before re-logging in here.

Problem started with pop-up ads in early Sep 2005, particularly when in IE. Winfixer 2005 was almost always one of the pop-up ads! Based on Kim Komando info, downloaded and replaced my HOSTS file. It stopped almost all pop-ups, but then would get 50-60 notices w/i 10 seconds, all saying could not access websites (is this result of HOSTS file change)?

On 14 Oct got Symantic AntiVirus Notification of Trojan.Vundo from Realtime Protection Scan. I tried to delete the notification but it continued to provide more notifications about every 2 seconds. I shutdown my PC and disabled connection to internet while researching (problem since my phone system is VOIP and also shuts down when disable internet connection). After researching your site using friend's PC, spent 10 hours last nite doing all the downloads and scans and tests per your website for suspected malware.

Results:
1. No problem connecting to internet other than getting very slow (did NOT run WinsockXPFix;
2. Ran Clean manager;
3. downloaded new version of Ad-aware SE (uninstalled old version) - no problems identified;
4. downloaded and ran CWShredder - no problems identified;
5. checked Rogue/Suspect lists - no problems identified;
6. downloaded and ran Ewido Scty Suite - found and cleaned 10 items: 6 Spyware.Mini-bug, 1 Spyware.MySearch, 1 Spyware.Cookie.com and 2 Heuristic.Win32.AVKiller (will add log at end);
7. ran Trend Housecall - took over 150 minutes to run :tazz: - found 1 med risk vulnerability in ASP.NET (said fix in MS05-004 but could not open link);
8. downloaded and ran TrojanHunter - took over 60 minutes - no problems identified;
9. have all Windows Update EXCEPT Windows XP SP2 (wanted to change browser before downloading but.....);
10. did reboot and test and still get the Symantic AV Notification for Trojan.Vundo. Since it was after 3:00 am shut down for night (had received over 7000 Trojan.Vundo notifications from Symantic by then!);
11. downloaded and ran Hijack This - will add log at end.

System info:
1. Run Windows XP home Edition;
2. Use IE as browser;
3. Use MS Office 2000;
4. Use Norton Anti-Virus Corporate edition with daily scan and auto live updates;
5. Use Spybot Search and Destroy weekly;
6. Use Ad-aware weekly;
7. Have hi-speed DSL thru cable TV company and VOIP (Packet 8 or 8x8.inc) also thru cable TV using cable modem;
8. Have Freedom Zone Alarm firewall that came with PC but not confident it is working right ?
9. Have Belkin Etherfast Cable/DSL router (NOT wireless);
10. Have HP Pavilion 754n system bought in Sep 2003.

Other problem information:
1. Have used AWS Weatherbug since new until about 30 days ago when I upgraded? it and it will no longer provide the local radar and satellite images (in folder says MiniBugTransporterXClass file damaged ?) Would like to continue using it if we can get it to work but some threads on Google says this file is ad-ware and should not be loaded. Your comments and help please?

2. Occasionally get message when trying to shutdown PC for the night that sgtray.exe is not responding to shut down process. Eventually will close if I leave it running. What is problem here?

3. GeeksToGo website login: have registered on your website and tried to login probably 5 times over last 2 days and it keeps saying wrong password every time! I finally use Lost Password option to reset it and access your website. Next time I try to login I get wrong password again. I am positive I am using correct password. What is my problem here?

4. I know I need to download the Windows XP SP2 as soon as this is all fixed. After analyzing all my info, logs and reports, providing any additional guidance, comments, recommendations to do PRIOR to downloading SP2 would be greatly appreciated.....

SCAN REPORTS/LOGS (Ewido Scty Suite, Hijack This) follow:

EWIDO SECURITY SUITE
---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 11:03:09 PM, 10/16/2005
+ Report-Checksum: 2356619F

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2342 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2342 127.0.0.1:51202 CLOSE_WAIT
TCP 127.0.0.1:51201 0.0.0.0:0 LISTENING
TCP 127.0.0.1:51202 0.0.0.0:0 LISTENING
TCP 127.0.0.1:51203 0.0.0.0:0 LISTENING
TCP 127.0.0.1:51204 0.0.0.0:0 LISTENING
TCP 127.0.0.1:51206 0.0.0.0:0 LISTENING
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1029
UDP 0.0.0.0:1052
UDP 0.0.0.0:1053
UDP 0.0.0.0:1055
UDP 0.0.0.0:1068
UDP 127.0.0.1:123
UDP 127.0.0.1:1033
UDP 127.0.0.1:1045
UDP 127.0.0.1:1064
UDP 127.0.0.1:1900
UDP 192.168.1.101:123
UDP 192.168.1.101:137
UDP 192.168.1.101:138
UDP 192.168.1.101:1900

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 11:03:42 PM, 10/16/2005
+ Report-Checksum: 2A041F65

0: System Process
4: System Process
144: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
308: c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
652: C:\HP\KBD\KBD.EXE
748: C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
828: \SystemRoot\System32\smss.exe
844: C:\windows\system\hpsysdrv.exe
864: C:\WINDOWS\System32\hkcmd.exe
876: \??\C:\WINDOWS\system32\csrss.exe
900: \??\C:\WINDOWS\system32\winlogon.exe
920: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
944: C:\WINDOWS\system32\services.exe
956: C:\WINDOWS\system32\lsass.exe
1100: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
1128: C:\WINDOWS\system32\svchost.exe
1312: C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
1356: C:\WINDOWS\System32\svchost.exe
1568: C:\Program Files\Internet Explorer\IEXPLORE.EXE
1612: C:\WINDOWS\System32\svchost.exe
1648: C:\WINDOWS\System32\svchost.exe
1820: C:\WINDOWS\system32\LEXBCES.EXE
1848: C:\WINDOWS\system32\spoolsv.exe
1856: C:\WINDOWS\system32\LEXPPS.EXE
2004: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
2016: C:\Program Files\Common Files\Command Software\dvpapi.exe
2092: C:\WINDOWS\ALCXMNTR.EXE
2132: C:\WINDOWS\System32\shpc32.exe
2156: C:\Program Files\Ewido Scty Suites\security suite\securitysuite.exe
2188: C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
2236: C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
2436: C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
2572: C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
2616: C:\WINDOWS\System32\wuauclt.exe
2908: C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
3128: C:\WINDOWS\System32\svchost.exe
3704: C:\WINDOWS\explorer.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:01:32 PM, 10/16/2005
+ Report-Checksum: 5B3BE917

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\.Owner -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1825742884-1222602259-1949773262-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\464ff1fc477d74c6820da4f114404e4c75de8f78/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\464ff1fc477d74c6820da4f114404e4c75de8f78/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup


::Report End

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 11:02:50 PM, 10/16/2005
+ Report-Checksum: 41405CF

Reg\HKLM\Run GW Port Controller C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
Reg\HKLM\Run nwiz nwiz.exe /installquiet /keeploaded
Reg\HKLM\Run Zero Knowledge Freedom C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
Reg\HKLM\Run SHPC32 shpc32.exe
Reg\HKLM\Run xkstartup RunDll32 InstZ82.dll,SetUsbPrinterPort
Reg\HKCU\Run NVIEW rundll32.exe nview.dll,nViewLoadHook
Reg\HKCU\Run Weather C:\Program Files\AWS\WeatherBug\Weather.exe 1
Reg\HKCU\Run Freedom C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
Reg\HKLM\Run BlockTracker c:\hp\bin\BlockTracker.exe
Reg\HKLM\Run HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
Reg\HKLM\Run Share-to-Web Namespace Daemon c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Reg\HKLM\Run CamMonitor c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
Reg\HKLM\Run KBD C:\HP\KBD\KBD.EXE
Reg\HKLM\Run StorageGuard "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
Reg\HKLM\Run AutoTBar C:\hp\bin\autotbar.exe
Reg\HKLM\Run Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
Reg\HKCU\Run SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Reg\HKLM\Run PS2 C:\WINDOWS\system32\ps2.exe
Reg\HKLM\Run LexStart lexstart.exe
Reg\HKLM\Run vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
Reg\HKLM\Run REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Reg\HKLM\Run AlcxMonitor ALCXMNTR.EXE
Reg\HKLM\Run hpsysdrv c:\windows\system\hpsysdrv.exe
Reg\HKLM\Run IgfxTray C:\WINDOWS\System32\igfxtray.exe
Shell\CommonStartup hp center UI.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
Shell\CommonStartup hp center.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Shell\CommonStartup Quicken Scheduled Updates.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
Shell\CommonStartup SmarThru Engine.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SmarThru Engine.lnk
Shell\UserStartup WxBugManUpgrade605.exe C:\Documents and Settings\Owner\Start Menu\Programs\Startup\WxBugManUpgrade605.exe
Shell\CommonStartup Adobe Reader Speed Launch.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

HIJACK THIS SCAN

Logfile of HijackThis v1.99.1
Scan saved at 9:22:14 PM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: ads.weather.com
O1 - Hosts: tracker.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: 0.1 clit10.sextracker.com
O1 - Hosts: xtracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: 1 dl.surfenhance.com #[IE-SpyAd]
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddccb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WxBugManUpgrade605.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Lexmark\SmarThru\QS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: ddccb - C:\WINDOWS\System32\ddccb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I am new to this type of forum use (as well as first trojan infection) .....do I need to continuously check this forum to watch for a reply or is a notice/message sent to my email? If I selected anonymous use of the forum, will this prevent you from providing feedback? What is approx time to expect response (minutes, hours, days, weeks ? )

Thanks in advance.........ruegemeraa
  • 0

Advertisements


#2
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINDOWS\System32\ddccb.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\System32\bccdd.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:enter hjt items here
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan Save the log.

Now, download Hoster Here: http://www.funkytoad...load/hoster.zip

Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

* Make sure that the "make hosts writable?" button in the upper right corner is enabled.
* Click back up Host files
* then click Restore orginal host files
* close program

Now, get results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Danny :tazz:
  • 0

#3
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Danny:
Thanks for the reply. Appreciate your help, but did not get very far in your instructions without running into problems:

1. Successfully downloaded VundoFix
2. Rebooted into safe mode - got a black screen with "safe mode" in all 4 corners and "Microsoft ® Windows XP ® (Build 2600.xpsp2.050301-1526: Service pack 1)" across the top. It froze on this screen.
3. I got to the Task Manager using "cntl, alt, delete" and using "Run ..." command was able to open VundoFix folder and doubleclicked on "KillVundo" file
4. Got 1st quote you identified (except said version V2.15, not V2.13)
5. After enter, got the 2nd quote you identified except "Then F6, Then Enter Again to continue with the fix" was not in this quote.
6. I entered the "C:\WINDOWS\System32\ddccb.dll" info as instructed exactly (are letters case sensitive? - I entered as if they were), and then pressed enter.
7. Then pressed F6 which inserted "^Z" after colon (not quotation marks, just 2 characters inside quote marks).
8. Then pressed enter which DID NOT bring up the next quote as you indicated. INSTEAD, got info starting with "Killing Processes...." and info about delete not a recognized command, and "fixing registry" Could not copy this info, or not sure how to copy it and to where (could not find way to get to Word or Notepad)? HijackThis also opened at this time.
9. So was NOT able to enter the 2nd file path per your directions.
10. Attempted to close all windows in order to send you this info and ask for further directions, however, once I closed the HijackThis and VundoFix screens, I was back to the Safe Mode screen but was locked up...could not access Task Manager or anything else (all keys frozen). ...could not even turn off computer (power button failed to turn off PC). So I unplugged PC from power, waited 2 minutes, replugged in and rebooted and was able to get back online to send you this posting.

What next?? also.....

over the weekend I downloaded Zone Labs free firewall and turned off the firewall software that came with my HP PC (Freedom Firewall think it was called) because when I checked the log it (Freedom) said it had expired. Also, decision based on Kim Komando website tip.
  • 0

#4
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
New Version of VundoFix:

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.


  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\ddccb.dll

  • Press Enter to continue with the fix.


  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\bccdd.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items (if present) and click FIX CHECKED :
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddccb.dll
    O20 - Winlogon Notify: ddccb - C:\WINDOWS\System32\ddccb.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Danny :tazz:

Edited by Danny, 24 October 2005 - 07:41 PM.

  • 0

#5
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Danny:
Thanks for update. Will proceed with your instructions shortly unless this info changes ytour guidance:
Just FYI......about 30 days ago I replaced my HOSTS file with a "canned" version recommended on Kim Komando site, designed to prevent identified adware website requests (pop-up ads) from going to the designated website by putting code (think it was 0.0.127 ??) before identified adware website identification in HOSTS file and keep my PC on my designated website. See www.komando.com and search her Tips folder for HOSTS file info for her tip on it or let me know and I can send it to you.
Does this change your guidance? I noted all the HOSTS File changes in your guidance which reminded me of this change I made a while ago.
I will proceed with your guidance as soon as Norton AV finishes running in another 30-45 minutes unless I heasr from you before then.
........ruegemeraa
  • 0

#6
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Ah ok...Forget hoster :tazz:
  • 0

#7
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
What hoster? The Hoster software in your first version of instructions (from Sat) was not included in the instructions you sent this morn.

Or did you mean for me to delete all the 01 - Hosts: xxx.xxx.com lines from the HijackThis instructions for FIX CHECKED right after I run VundoFix?

Also, correction to last posting....the custom HOSTS file I replaced mine with are DNS listings. Each line starts with 127.0.0.1 which is my IP address. So all bad websites listed are routed to my IP address instead of the bad websites IP address...

So proceed as original instructions from this morn? Or delete the 01 - Hosts: xxx.xxx.xxx lines from HiJackThis FIX CHECKED instructions?
  • 0

#8
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Ok.. Don't check the O1's for fixing (I'll edit that out)
  • 0

#9
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Danny:
I noted today I no longer get the Norton AV notices that they had identified the Trojan.Vundo virus.

I also noted my firewall successfully blocked numerous attempts the last 2 days from 24.178.38.190 to access my computer. Is there some way to find out who or what website this is and why? Is it the Virtumondo Trojan website trying to communicate to determine if I still have the Trojan in my system? I read up on Virtumondo on Panda website after running ActiveScan and it described this process.

Here are the results of the tests you requested:

1. Completed VundoFix w/o checking the 01 - Hosts: lines.
02 - BHO:MSEvents Object line was not there (did it get deleted in last night's aborted VundoFix run?) However it is there on my last HijackThis log included below ? ! ? ! ?
020 - Winlogon Notify: ddccb...... was there but had (file missing) at end of the line
I still ran FIX CHECKED but did not have any items checked as a result of above 3 items.
2. Completed CleanUp - freed up 21.3 MB from 2997 files
3. Completed ActiveScan (attempted 3 times before it actually ran - said was error on (web)page
4. results follow:

ActiveScan results:

Incident Status Location

Spyware:spyware/virtumonde
No disinfected
WindowsRegistry

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:21 AM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: ads.weather.com
O1 - Hosts: tracker.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: cker.com
O1 - Hosts: cker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: 0.1 clit10.sextracker.com
O1 - Hosts: xtracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: 1 dl.surfenhance.com #[IE-SpyAd]
O1 - Hosts: t]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: 0.1 clit10.sextracker.com
O1 - Hosts: xtracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddccb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WxBugManUpgrade605.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Lexmark\SmarThru\QS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ddccb - C:\WINDOWS\System32\ddccb.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

VundoFix Text file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
VundoFix.exe
vundofix.txt

--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\ddccb.dll

The second filepath entered was C:\WINDOWS\System32\bccdd.*

--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------

Killing PID 132 'smss.exe'

Killing PID 684 'explorer.exe'

Killing PID 204 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\ddccb.dll Deleted sucessfully.
C:\WINDOWS\System32\bccdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

What is the next step to finally rid my PC of this nemesis? Thanks........ruegemeraa
  • 0

#10
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Open HijackThis, click the "Scan" button and check the following items:

O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - (no file)
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddccb.dll (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\System32\ddccb.dll (file missing)


Close all windows except HijackThis, and click the "Fix Checked" button.

Reboot and post a new log.

Danny :tazz:
  • 0

Advertisements


#11
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks, Danny.

Completed your directions.

Noted the 020 - Winlogon Notify line is gone.

However, all 3 of the 02 - BHO lines are still there; the 3rd one (MSEvents Object) is now only identified with (no name) and (no file) as the first 2 were yesterday.

Do we need to get all 3 of those lines totally deleted? Or just identified with (no name) and (no file) as they currently are?

Thanks for your continued help.....ruegemeraa

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Logfile of HijackThis v1.99.1
Scan saved at 12:10:46 AM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: ads.weather.com
O1 - Hosts: tracker.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: cker.com
O1 - Hosts: cker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: 0.1 clit10.sextracker.com
O1 - Hosts: xtracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O1 - Hosts: iendfinder.com
O1 - Hosts: pyAd]
O1 - Hosts: t][Adware.Istbar]
O1 - Hosts: 127.0.
O1 - Hosts: .0.0.1 adrevservice.com
O1 - Hosts: 127.0.
O1 - Hosts: .1 stats.adrevservice.com #[Linkzilla Control]
O1 - Hosts: c3.thecounter.com
O1 - Hosts: gecash.com
O1 - Hosts: iondrugs.com
O1 - Hosts: r.Exploit]
O1 - Hosts: .0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]
O1 - Hosts: 1 dl.surfenhance.com #[IE-SpyAd]
O1 - Hosts: t]
O1 - Hosts: boss.com #[IE-SpyAd]
O1 - Hosts: www.engine-find.info
O1 - Hosts: tracker.com
O1 - Hosts: 0.1 clit10.sextracker.com
O1 - Hosts: xtracker.com
O1 - Hosts: stx12.sextracker.com
O1 - Hosts: .0.0.1 stx15.sextracker.com
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - (no file)
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WxBugManUpgrade605.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Lexmark\SmarThru\QS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

You need to reset your hosts file. To do this, click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

After you reset your hosts file, redownload that file, and try to edit your hosts file again.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Now, Open HJT, click the "Scan' button and check the following items:

O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - (no file)
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - (no file)
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)


Close all windows except HijackThis, and click the "Fix Checked" button.

Reboot and post a new log.

Danny :tazz:
  • 0

#13
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Danny:
Attempted to complete per your instructions but had some difficulties:

1. I could not download HostsFileReader - said I did not have authority to do so. Attempted to download from your download page, got the software description but no link or button to begin download.

2. I had saved my original HOSTS file (had renamed it) so removed the custom HOSTS file and renamed the original HOSTS file back to HOSTS. I can download the custom HOSTS file from Kim Komando when my PC is clean again, unless you want me to do it now so HJT can check it?

3. Turned off Spybot's TeaTimer. I kept ZoneAlarm Firewall and Symantic AV running however. OK ?

4. New HJT log posted below. Looks like the 02 and 020 lines are finally cleaned up.

5. FYI....after running Symantec AV today, got a notification that read:
"found Trojan.Vundo file C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP436\A0032308.dll"
and also said:
"delete succeeded; access denied. Thursday October 27, 2005 4:43:11 pm."
Presume this means Symantec was able to delete restore file containing the trojan?

6. also FYI.....still having problems with login to GeeksToGo webpage. I have to reset password (lost password option) everytime I log off and try to login again. Real pain in the you know what !! ....is this related to this malware problem or something different? Is it related to my inability to download HostsFileReader?

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Logfile of HijackThis v1.99.1
Scan saved at 1:42:40 AM, on 10/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: WxBugManUpgrade605.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Lexmark\SmarThru\QS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Scty Suites\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#14
ruegemeraa

ruegemeraa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Danny:
Hello.....you still there? Hope your Halloween was not too eventful. Have not heard back for over 3 days since I sent you my last HJT log and (hopefully) final questions on my system to be answered.
....ruegemeraa
  • 0

#15
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Sorry about the late reply :)

You can now turn TeaTimer back on :)

Also, the GeeksToGo password isssue has to deal with this site. PM an admin to see what they have to say.

---------------

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Danny :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP