Thanks OwNt:
Took me a while to get back, seems my dialup modem decided to go south, got that fixed.
I had to figure out how to navigate in Safe Mode 'cause all I had was a black screen until I used the Task Manager.
Didn't see the O2-BHO: MSEvents Object when I ran HJT and began checking boxes for fix. Saw the rest though. The last HJT log shows it now.
Also, when I went to the next step to delete the local settings\temp\LJ31.exe, it didn't exist in that folder. Maybe I could have run a search on it though.
I wasn't getting the "the web page you requested is not available offline. . ." boxes when I got back running.
Looks like the about : blank thing went away. But looks like I didn't get rid of the other guys on the first run.
Thanks a bunch again!
Here are the reports.
ActiveScanreport:
----------------------------------
Incident Status Location
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Spyware:spyware/virtumonde No disinfected Windows Registry
----------------------------------
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\System32\vtsts.dll
The second filepath entered was C:\WINDOWS\System32\ststv*
--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------
Killing PID 132 'smss.exe'
Error, Cannot find a process with an image name of explorer.exe
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------
C:\WINDOWS\System32\vtsts.dll Deleted sucessfully.
C:\WINDOWS\System32\ststv* Deleted sucessfully.
Fixing Registry
--------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:47:28 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1128994353\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\LVComS.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://my.netzero.ne...ch?r=minisearchR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://my.netzero.ne...ch?r=minisearchR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://my.netzero.ne...ch?r=minisearchR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://my.netzero.ne...ch?r=minisearchR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://my.netzero.ne...ch?r=minisearchR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://my.netzero.ne...ch?r=minisearchR3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bho - {6B5DF64E-ACE8-4761-98C1-543C1ABB4945} - C:\WINDOWS\system32\apjsywbx.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\vtsts.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LJ31] C:\documents and settings\jan\local settings\temp\LJ31.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LJ31.exe] C:\documents and settings\jan\local settings\temp\LJ31.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128994353\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) -
http://65.184.221.60/XHD.cabO16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} -
http://download.side...00720/sb028.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125262762937O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1128703258437O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) -
http://66.56.215.207/RM.cabO16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://195.173.198.1...sCamControl.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abac...abasetup160.cabO20 - Winlogon Notify: vtsts - C:\WINDOWS\System32\vtsts.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Edit 2 hours later:
Just did all malware updates, don't seem to be getting any un-requested pages popping up.
Edited by florient, 23 October 2005 - 08:11 PM.