Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

virtumondo trojan


  • Please log in to reply

#1
texasgranpa

texasgranpa

    New Member

  • Member
  • Pip
  • 3 posts
Have run everything in the "try" this first...Here is my log. Please help...I won't send out emails as I don't want to send this anyone. It is horrible...
Will this also stop all the pop-ups?Doesn't seem that my msn toolbar is blocking as many as I thought they should..
Do appreciate all your help.

Logfile of HijackThis v1.99.1
Scan saved at 3:02:12 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\??oolsv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: m
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 127
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 127
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 1
O1 - Hosts: 1
O1 - Hosts: ml.411web.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: tree.com #[MoneyTree Dialer]
O1 - Hosts: 1
O1 - Hosts: 1
O1 - Hosts: ml.411web.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: R_CCT.A]
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: tree.com #[MoneyTree Dialer]
O1 - Hosts: 1
O1 - Hosts: 1
O1 - Hosts: ml.411web.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: hotlog.ru
O1 - Hosts: 5.buttonware.net
O1 - Hosts: R_CCT.A]
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: tree.com #[MoneyTree Dialer]
O1 - Hosts: 1
O1 - Hosts: 1
O1 - Hosts: ml.411web.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O1 - Hosts: r.com
O1 - Hosts: 1web.com
O1 - Hosts: 127
O1 - Hosts: z #[mt-download.com]
O1 - Hosts: .cqcounter.com
O1 - Hosts: .click-fr.com
O1 - Hosts: www2.surveyfocus
O1 - Hosts: .0.1 www2.survey-poll.com #[microsoft]
O1 - Hosts: hotlog.ru
O1 - Hosts: 5.buttonware.net
O1 - Hosts: R_CCT.A]
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: tree.com #[MoneyTree Dialer]
O1 - Hosts: 1
O1 - Hosts: 1
O1 - Hosts: ml.411web.com
O1 - Hosts: 0.1 xlo
O1 - Hosts: 127
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CD04A8D-D912-FDEC-1E43-AA38044A95BE} - (no file)
O2 - BHO: (no name) - {3FDB6E0B-EA33-0ACC-8675-165578822B3E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [12a61f7cd6d7] C:\WINDOWS\system32\bthserv2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zkk] C:\WINDOWS\system32\??oolsv.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt ndrv
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?4cb310e3b32949a492d1c12fe86eaa31
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?4cb310e3b32949a492d1c12fe86eaa31
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: awvvv - C:\WINDOWS\system32\awvvv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\cwshredder.exe26oct05.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi texasgranpa and Welcome to GeekstoGo!

This will take a few passes to complete,so please be patient with me!


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awvvv.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\vvvwa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: m
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 127
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 127
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 1
    O1 - Hosts: 1
    O1 - Hosts: ml.411web.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: 127.0.0
    O1 - Hosts: 127.0.0
    O1 - Hosts: tree.com #[MoneyTree Dialer]
    O1 - Hosts: 1
    O1 - Hosts: 1
    O1 - Hosts: ml.411web.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: R_CCT.A]
    O1 - Hosts: 127.0.0
    O1 - Hosts: 127.0.0
    O1 - Hosts: tree.com #[MoneyTree Dialer]
    O1 - Hosts: 1
    O1 - Hosts: 1
    O1 - Hosts: ml.411web.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: hotlog.ru
    O1 - Hosts: 5.buttonware.net
    O1 - Hosts: R_CCT.A]
    O1 - Hosts: 127.0.0
    O1 - Hosts: 127.0.0
    O1 - Hosts: tree.com #[MoneyTree Dialer]
    O1 - Hosts: 1
    O1 - Hosts: 1
    O1 - Hosts: ml.411web.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127
    O1 - Hosts: r.com
    O1 - Hosts: 1web.com
    O1 - Hosts: 127
    O1 - Hosts: z #[mt-download.com]
    O1 - Hosts: .cqcounter.com
    O1 - Hosts: .click-fr.com
    O1 - Hosts: www2.surveyfocus
    O1 - Hosts: .0.1 www2.survey-poll.com #[microsoft]
    O1 - Hosts: hotlog.ru
    O1 - Hosts: 5.buttonware.net
    O1 - Hosts: R_CCT.A]
    O1 - Hosts: 127.0.0
    O1 - Hosts: 127.0.0
    O1 - Hosts: tree.com #[MoneyTree Dialer]
    O1 - Hosts: 1
    O1 - Hosts: 1
    O1 - Hosts: ml.411web.com
    O1 - Hosts: 0.1 xlo
    O1 - Hosts: 127

    O2 - BHO: (no name) - {2CD04A8D-D912-FDEC-1E43-AA38044A95BE} - (no file)

    O2 - BHO: (no name) - {3FDB6E0B-EA33-0ACC-8675-165578822B3E} - (no file)

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\awvvv.dll

    O4 - HKCU\..\Run: [Zkk] C:\WINDOWS\system32\??oolsv.exe

    O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt ndrv

    O20 - Winlogon Notify: awvvv - C:\WINDOWS\system32\awvvv.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
texasgranpa

texasgranpa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Followed your directions below...


Here is the text from Oct 28. have since run this again, just couldnt' find a text file for it.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 128 'smss.exe'
Threads [132][136][140]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 740 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 204 'winlogon.exe'
File Deleted sucessfully.


This is the file from Panda scan....
Incident Status Location

Spyware:spyware/overpro No disinfected C:\WINDOWS\SYSTEM32\adsmsext.exe
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/toprebates No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/winad No disinfected C:\PROGRAM FILES\Winad Client
Spyware:spyware/searchcentrix No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HijackThis\backups\backup-20051028-163630-306.dll.tcf
Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAEF2D33-845C-403E-B730-F38E31\EDE77363-5EB2-4852-AD3E-7EAF54
Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E1272508-6331-4B10-8E82-969DF6\5D27A1C8-D92C-4CF6-A4C2-CAE5D7
Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E1272508-6331-4B10-8E82-969DF6\B56E6279-F39A-40CB-ADC1-1AA24E
Adware:Adware/KeenValue No disinfected C:\WINDOWS\Downloaded Program Files\imloader.exe.tcf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\acctres0.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\adsmsext.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awvvv.dll.tcf
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\bthserv2.exe.tcf
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\system32\bthserv8.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\system32\cdmodem2.dll.tcf
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\ddayv.dll
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\unwise56.exe




This is the Hijack file from tonight

Logfile of HijackThis v1.99.1
Scan saved at 9:10:04 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [12a61f7cd6d7] C:\WINDOWS\system32\bthserv2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?4cb310e3b32949a492d1c12fe86eaa31
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?4cb310e3b32949a492d1c12fe86eaa31
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDFD5FF5-15A4-479F-94FB-EE8689A1D224}: NameServer = 207.243.104.2 12.41.197.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\cwshredder.exe26oct05.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks bunches....We're thinking that we will buy the McAfee whole package to see if we will be better protected. What is your take on this. This stuff just keeps coming. I have Avast, Microsoft Spyware something or another, Spybot, Adware. Run Trend frequently....any help will be appreciated.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets get started cleaning you up first.


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!


Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\WINDOWS\INF\polall1r.inf
C:\WINDOWS\sepsd.bin
C:\WINDOWS\Downloaded Program Files\imloader.exe.tcf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf
C:\WINDOWS\system32\acctres0.exe
C:\WINDOWS\system32\adsmsext.exe
C:\WINDOWS\system32\awvvv.dll.tcf
C:\WINDOWS\system32\bthserv2.exe.tcf
C:\WINDOWS\system32\bthserv8.exe
C:\WINDOWS\system32\bthserv2.exe
C:\WINDOWS\system32\cdmodem2.dll.tcf
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\unwise56.exe
C:\PROGRAM FILES\Winad Client
C:\Program Files\apsi\wtta.exe
C:\Program Files\apsi


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...al62.html#winxp


Once in Safe Mode,run each of those entries through Killbox again,one at a time to confirm nothing survived.

As you paste each entry into Killbox,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [12a61f7cd6d7] C:\WINDOWS\system32\bthserv2.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Still in Safe Mode,From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient.

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart


Restart Normal and have the PC scanned here
http://support.f-sec.../home/ols.shtml


Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure

Edited by Cretemonster, 04 November 2005 - 05:01 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP