Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo last resort [RESOLVED]


  • This topic is locked This topic is locked

#1
trk95

trk95

    New Member

  • Member
  • Pip
  • 9 posts
Hey guys...great forum. Everyone here seems very helpful. Well...I hope it wouldnt come to this but I have that [bleep] win fixer trojan. Im very new to all this including hijack this soooooo here gos. Can you give me pretty detailed instructions while your helping? Thanx in advance.

Logfile of HijackThis v1.99.1
Scan saved at 7:18:36 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\devldr32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - E:\WINDOWS\system32\awtur.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi trk95 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.



Please print these instructions out for use in Safe Mode.

1. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINDOWS\system32\awtur.dll

  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):


    C:\WINDOWS\system32\rutwa.*

  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:


    O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
    O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - E:\WINDOWS\system32\awtur.dll
    O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll



  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
2. Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

3. Then, please run this online virus scan: ActiveScan

4. Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Regards,

Trevuren

  • 0

#3
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here are the results. Looks like the first time didnt do it. Keep in my mind that I only use my C drive as storage. The E drive is where everything sits.

ACTIVE SCAN RESULTS:

Incident Status Location
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM\BTIEIN.DLL Spyware:Spyware/WinWhatWhere Not disinfected C:\WINDOWS\SYSTEM\aa81232.exe
Adware:Adware/SideStep Not disinfected C:\WINDOWS\SYSTEM\SideStep026.exe
Adware:Adware/SideStep Not disinfected C:\WINDOWS\SYSTEM\httppost.exe
Adware:Adware/SideStep Not disinfected C:\WINDOWS\SYSTEM\SbCIe026.dll
Adware:Adware/NetPals Not disinfected C:\WINDOWS\SYSTEM\mamc0m.dll
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM\GrlNt0i.dll
Adware:Adware/NetPals Not disinfected C:\WINDOWS\SYSTEM\Ud3rT0n5.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\payload.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\TEMP\Sentry.cab[Sentry.exe]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\TEMP\Sentry.exe
Adware:Adware/WinTools Not disinfected C:\WINDOWS\TEMP\msiein\CAB37994.9430853009\btlink.dll
Adware:Adware/WinTools Not disinfected C:\WINDOWS\TEMP\msiein\CAB37994.9431850694\btlink.dll
Adware:Adware/WinTools Not disinfected C:\WINDOWS\TEMP\msiein\CAB37994.9432924769\btlink.dll
Dialer:Dialer.XH Not disinfected C:\WINDOWS\TEMP\ICD7.tmp\99930182.exe
Virus:Trj/Downloader.MO Not disinfected C:\WINDOWS\TEMP\ICD8.tmp\default.inf
Virus:Trj/Autodelete.A Not disinfected C:\WINDOWS\TEMP\ipjf.bat
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\flash.inf
Adware:Adware/SaveNow Not disinfected C:\WINDOWS\Downloaded Program Files\WUInst.dll
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\od-stnd236.exe
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\od-stnd102.exe
Virus:Trj/Keyhost.A Not disinfected C:\WINDOWS\hostprep.exe
Virus:Trj/Runet.A Not disinfected C:\WINDOWS\system.css
Adware:Adware/eZula Not disinfected C:\Programs\iMeshV3.exe
Virus:Bck/IRCFlood.I Not disinfected C:\winnt\system32\msimp.reg
Virus:Bck/mIRCBased.F Not disinfected C:\winnt\system32\msthost.exe
Hacktool:HackTool/SRunner.A Not disinfected C:\winnt\system32\service.exe
Spyware:Spyware/Virtumonde Not disinfected E:\Documents and Settings\tc\Desktop\hijackthis\backups\backup-20051121-203107-563.dll
Dialer:Dialer.Gen Not disinfected E:\Documents and Settings\tc\My Documents\s2k.serials2k7.1.zip[s2k.hacking.exe]
Dialer:Dialer.Gen Not disinfected E:\Documents and Settings\tc\My Documents\Serials\s2k.hacking.exe
Virus:Trj/Multidropper.ABN Not disinfected E:\limewire\Propellerheads Recycle v2.1 Incl Keygen-H2o\Propellerheads.ReCycle.v2.1.Incl.Keygen-H2O\Setup.exe
Virus:Trj/Multidropper.ABN Not disinfected E:\limewire\Propellerheads Recycle v2.1 Incl Keygen-H2o.zip[Setup.exe]
Virus:Eicar.Mod Not disinfected E:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/Altnet Not disinfected E:\Program Files\PestPatrol\Quarantine\20040613131526358.zip[topsearch.dll]
Spyware:Spyware/Altnet Not disinfected E:\Program Files\PestPatrol\Quarantine\20040613131526358.zip[Points Manager.exe]
Adware:Adware/SearchAid Not disinfected E:\Program Files\PestPatrol\Quarantine\20040613131526358.zip[submithook.dll]
Adware:Adware/P2PNetworking Not disinfected E:\Program Files\PestPatrol\Quarantine\20050715134544917.zip[p2p networking.exe]
Adware:Adware/P2PNetworking Not disinfected E:\Program Files\PestPatrol\Quarantine\20050715134544917.zip[marshal.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp.cab[mshp.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp0.cab[mshp.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp1.cab[mshp.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp2.cab[mshp.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp3.cab[mshp.dll]
Adware:Adware/SearchWhat Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\mshp4.cab[mshp.dll]
Adware:Adware/KeenValue Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\PerfectNavUninstall.cab[PerfectNavUninstall.exe]
Adware:Adware/SearchAid Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\submithook.cab[submithook.dll]
Adware:Adware/SearchAid Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\submithook0.cab[submithook.dll]
Adware:Adware/SearchAid Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\submithook1.cab[submithook.dll]
Adware:Adware/SearchAid Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\submithook2.cab[submithook.dll]
Adware:Adware/SearchAid Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\submithook3.cab[submithook.dll]
Adware:Adware/P2PNetworking Not disinfected E:\Program Files\SpyFerret by OnlinePCfix\Archives\WebP2PInstaller.cab[WebP2PInstaller.dll]
Adware:Adware/SearchAid Not disinfected E:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/SearchAid Not disinfected E:\WINDOWS\crgx32.dll
Adware:Adware/SearchAid Not disinfected E:\WINDOWS\sdkqh32.dll
Virus:Trj/Hooker.S Not disinfected E:\WINDOWS\system32\awvts.dll
Virus:Trj/Hooker.S Not disinfected E:\WINDOWS\system32\ljhhi.dll
Virus:Bck/IRCFlood.M Not disinfected E:\WINDOWS\system32\~uninstal.exe
Virus:Bck/IRCFlood.I Not disinfected E:\WINDOWS\system32\~uninstal.exe[ms32.dll]
Virus:Bck/IRCFlood.I Not disinfected E:\WINDOWS\system32\~uninstal.exe[msimp.reg]
Virus:Bck/mIRCBased.F Not disinfected E:\WINDOWS\system32\~uninstal.exe[msthost.exe]
Virus:W32/Randon.CO.worm Not disinfected E:\WINDOWS\system32\~uninstal.exe[qos.dll]
Hacktool:HackTool/SRunner.A Not disinfected E:\WINDOWS\system32\~uninstal.exe[service.exe]
Virus:Bck/IRCFlood.I Not disinfected E:\WINDOWS\system32\~uninstal.exe[setsys.exe]
Virus:Bck/IRCFlood.M Not disinfected E:\WINDOWS\system32\~uninstal.exe[setuphlp.cmd]





HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:29 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\devldr32.exe
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - E:\WINDOWS\system32\awtur.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe





VUNDOFIX.TXT

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\awtur.dll

The second filepath entered was C:\WINDOWS\system32\rutwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 184 'smss.exe'

Killing PID 808 'explorer.exe'
Killing PID 808 'explorer.exe'


Killing PID 264 'winlogon.exe'
Killing PID 264 'winlogon.exe'
Killing PID 264 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\awtur.dll Deleted sucessfully.
C:\WINDOWS\system32\rutwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
It's gone

Please scan ALL your diives and post the log(s)

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#5
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here are the ewido results:


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:14:30 AM, 11/22/2005
+ Report-Checksum: 94B9A304

+ Scan result:

HKU\S-1-5-21-57989841-1993962763-854245398-1003\Software\Adverts -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-57989841-1993962763-854245398-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
C:\WINDOWS\SYSTEM\krec32\keys32.dll -> TrojanSpy.KBMan : Cleaned with backup
C:\WINDOWS\SYSTEM\Update_Hosts.DLL -> Spyware.IGetNet : Cleaned with backup
C:\WINDOWS\SYSTEM\mamc0m.dll -> TrojanDownloader.Rameh.a : Cleaned with backup
C:\WINDOWS\SYSTEM\GrlNt0i.dll -> TrojanDownloader.Rameh.a : Cleaned with backup
C:\WINDOWS\SYSTEM\Ud3rT0n5.dll -> TrojanDownloader.Rameh.a : Cleaned with backup
C:\WINDOWS\TEMP\Sentry.cab/Sentry.exe -> TrojanDownloader.Stubby.b : Cleaned with backup
C:\WINDOWS\TEMP\Sentry.exe -> TrojanDownloader.Stubby.b : Cleaned with backup
C:\WINDOWS\TEMP\ICD3.tmp\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\TEMP\ICD4.tmp\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\TEMP\ICD5.tmp\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\TEMP\ICD6.tmp\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WUInst.dll -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\6JA7SDSV\btiein[1].cab/btiein.dll -> TrojanDownloader.QDown.w : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\O9AROH6R\680[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\O9AROH6R\500[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Cookies\default@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINDOWS\Cookies\default@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\WINDOWS\Cookies\default@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\WINDOWS\Cookies\default@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Cookies\default@cz4.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\default@cz3.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\default@cz9.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\default@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\default@hestia.sextrail.trakkerd[2].txt -> Spyware.Cookie.Trakkerd : Cleaned with backup
C:\WINDOWS\Cookies\default@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Cookies\default@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\default@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Cookies\default@paycounter[3].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\WINDOWS\Cookies\default@ad-flow[2].txt -> Spyware.Cookie.Ad-flow : Cleaned with backup
C:\WINDOWS\Cookies\default@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\WINDOWS\Cookies\default@ads.specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Cookies\default@ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINDOWS\Cookies\default@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\default@c.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\WINDOWS\Cookies\default@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\WINDOWS\Cookies\default@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Cookies\default@www.statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\WINDOWS\Cookies\default@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Cookies\default@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\WINDOWS\Cookies\default@x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\WINDOWS\Cookies\default@count.xhit[1].txt -> Spyware.Cookie.Xhit : Cleaned with backup
C:\WINDOWS\Cookies\default@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\default@adserv.internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\WINDOWS\Cookies\default@www.sex-in-www[2].txt -> Spyware.Cookie.Sex-in-www : Cleaned with backup
C:\WINDOWS\Cookies\default@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\WINDOWS\Cookies\default@www7.paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Cookies\default@hotlog[2].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\WINDOWS\Cookies\default@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\default@ads.x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\WINDOWS\Cookies\default@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Cookies\default@trafficmp[3].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Cookies\default@pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\WINDOWS\Cookies\default@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Cookies\default@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\WINDOWS\Cookies\default@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Cookies\default@addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Cookies\default@com[3].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\default@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\default@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Cookies\default@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\WINDOWS\Cookies\default@xxxcounter[3].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\WINDOWS\Cookies\default@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\WINDOWS\Cookies\default@ads.specificpop[3].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Cookies\default@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\Cookies\default@ad-flow[3].txt -> Spyware.Cookie.Ad-flow : Cleaned with backup
C:\WINDOWS\Cookies\default@c.porngraph[2].txt -> Spyware.Cookie.Porngraph : Cleaned with backup
C:\WINDOWS\Cookies\default@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\WINDOWS\Cookies\default@internetfuel[2].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\WINDOWS\Cookies\default@hotlog[3].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\WINDOWS\Cookies\default@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINDOWS\Cookies\default@mediatrack.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINDOWS\Cookies\default@xxxtoolbar[2].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\WINDOWS\Cookies\default@a.as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Cookies\default@xxxcounter[4].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\WINDOWS\Cookies\default@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\Cookies\default@edge.ru4[3].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINDOWS\Cookies\default@z1.adserver[3].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Cookies\default@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\WINDOWS\Cookies\default@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\Cookies\default@c.porngraph[1].txt -> Spyware.Cookie.Porngraph : Cleaned with backup
C:\WINDOWS\Cookies\default@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Cookies\default@tribalfusion[3].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Cookies\default@bluestreak[3].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\WINDOWS\Cookies\default@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\WINDOWS\Cookies\default@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\WINDOWS\Cookies\default@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\WINDOWS\Cookies\default@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\WINDOWS\Cookies\default@overture[4].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Cookies\default@counter12.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\WINDOWS\Cookies\default@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\Cookies\default@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\Cookies\default@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\WINDOWS\Cookies\default@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Cookies\default@revenue[3].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINDOWS\Cookies\default@data.coremetrics[2].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\WINDOWS\Cookies\default@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\WINDOWS\Cookies\default@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\default@com[4].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\default@ehg-nike.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\Cookies\default@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\WINDOWS\Cookies\default@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\Cookies\default@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\WINDOWS\Cookies\default@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\Cookies\default@questionmarket[3].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Cookies\default@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\Cookies\default@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\WINDOWS\Cookies\default@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\WINDOWS\od-stnd236.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\od-stnd102.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\hostprep.exe -> Spyware.BiSpy : Cleaned with backup
C:\Programs\mce.zip/Matrix Code Emulator.scr -> Backdoor.Backattack.20.C : Error during cleaning
C:\winnt\system32\tcp.dll -> Backdoor.Zapchast : Cleaned with backup
C:\winnt\system32\lssas.exe -> Backdoor.ServU-based : Cleaned with backup
E:\Documents and Settings\tc\Desktop\hijackthis\backups\backup-20051121-203107-563.dll -> Spyware.Virtumonde : Cleaned with backup
E:\Documents and Settings\tc\My Documents\i_bpk_lite.exe/Setup.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Documents and Settings\tc\My Documents\s2k.serials2k7.1.zip/s2k.hacking.exe -> Dialer.Generic : Error during cleaning
E:\Documents and Settings\tc\My Documents\Serials\s2k.hacking.exe -> Dialer.Generic : Cleaned with backup
E:\limewire\Propellerheads Recycle v2.1 Incl Keygen-H2o\Propellerheads.ReCycle.v2.1.Incl.Keygen-H2O\Setup.exe -> TrojanDropper.ExeBundle.285 : Cleaned with backup
E:\limewire\Propellerheads Recycle v2.1 Incl Keygen-H2o.zip/Propellerheads.ReCycle.v2.1.Incl.Keygen-H2O/Setup.exe -> TrojanDropper.ExeBundle.285 : Error during cleaning
E:\Program Files\NetMeeting\MyWay\myBar\1.bin\MY2NS.EXE -> Spyware.MyWay : Cleaned with backup
E:\Program Files\NetMeeting\MyWay\myBar\1.bin\MYBAR.DLL -> Spyware.MyWay : Cleaned with backup
E:\Program Files\NetMeeting\MyWay\myBar\1.bin\NPMYWAY.DLL -> Spyware.MyWay : Cleaned with backup
E:\Program Files\Perfect Keylogger Lite\bpk.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Program Files\Perfect Keylogger Lite\lview.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Program Files\Perfect Keylogger Lite\uninstall.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Program Files\Perfect Keyloggerkiller\bsdhooks.dll -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
E:\Program Files\PestPatrol\Quarantine\20040613131526358.zip/Program Files/kazaa/topsearch.dll -> Spyware.Altnet : Error during cleaning
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@atdmt[1].cab/tc@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@counter.cab/tc@counter.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@counter10.cab/tc@counter10.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@counter4.cab/tc@counter4.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@rccl.cab/tc@rccl.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@sexlist[1].cab/tc@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\tc@sextracker[2].cab/tc@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
E:\Program Files\SpyFerret by OnlinePCfix\Archives\WebP2PInstaller.cab/WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
E:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.WinShow.af : Cleaned with backup
E:\WINDOWS\crgx32.dll -> TrojanDownloader.Wintrim.be : Cleaned with backup
E:\WINDOWS\sdkqh32.dll -> TrojanDownloader.Wintrim.be : Cleaned with backup
E:\WINDOWS\system32\awvts.dll -> TrojanDownloader.ConHook.l : Cleaned with backup
E:\WINDOWS\system32\ljhhi.dll -> TrojanDownloader.ConHook.l : Cleaned with backup
E:\WINDOWS\system32\~uninstal.exe/ms32.dll -> Backdoor.Zapchast : Error during cleaning


::Report End
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please post a fresh HJT log also.

Trevuren

  • 0

#7
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry...here is the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 5:40:11 PM, on 11/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\devldr32.exe
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\iTunes\iTunes.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - E:\WINDOWS\system32\awtur.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • End Explorer Shell While Killing File
    • From the main Killbox Window, Select Options>>Delete on Reboot>>Process all in List
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    E:\WINDOWS\crgx32.dll
    E:\WINDOWS\sdkqh32.dll
    E:\WINDOWS\system32\awvts.dll
    E:\WINDOWS\system32\ljhhi.dll
    C:\WINDOWS\SYSTEM\aa81232.exe
    C:\WINDOWS\SYSTEM\SideStep026.exe
    C:\WINDOWS\SYSTEM\httppost.exe
    C:\WINDOWS\SYSTEM\SbCIe026.dll
    C:\WINDOWS\SYSTEM\mamc0m.dll
    C:\WINDOWS\SYSTEM\GrlNt0i.dll
    C:\WINDOWS\SYSTEM\Ud3rT0n5.dll
    C:\WINDOWS\INF\payload.inf
    C:\WINDOWS\TEMP\msiein\CAB37994.9430853009\btlink.dll
    C:\WINDOWS\TEMP\msiein\CAB37994.9431850694\btlink.dll
    C:\WINDOWS\TEMP\msiein\CAB37994.9432924769\btlink.dll
    C:\WINDOWS\TEMP\ICD7.tmp\99930182.exe
    C:\WINDOWS\TEMP\ICD8.tmp\default.inf
    C:\WINDOWS\TEMP\ipjf.bat
    C:\WINDOWS\Downloaded Program Files\turbo.inf
    C:\WINDOWS\Downloaded Program Files\flash.inf
    C:\WINDOWS\Downloaded Program Files\WUInst.dll
    C:\WINDOWS\od-stnd236.exe
    C:\WINDOWS\od-stnd102.exe
    C:\WINDOWS\hostprep.exe
    C:\WINDOWS\system.css
    C:\Programs\iMeshV3.exe
    C:\winnt\system32\msimp.reg
    C:\winnt\system32\msthost.exe
    C:\winnt\system32\service.exe
    E:\Documents and Settings\tc\My Documents\Serials\s2k.hacking.exe
    E:\WINDOWS\system32\~uninstal.exe/ms32.dll


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Regards,

Trevuren

  • 0

#9
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Than you so much. Are we done? Or is there more?
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
    O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - E:\WINDOWS\system32\awtur.dll (file missing)
    O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren

  • 0

Advertisements


#11
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It doesnt seem like malware is an issue from what I can tell.


Logfile of HijackThis v1.99.1
Scan saved at 5:46:51 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\devldr32.exe
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O20 - Winlogon Notify: awtur - E:\WINDOWS\system32\awtur.dll (file missing)

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren

  • 0

#13
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok....everything seems good.

Logfile of HijackThis v1.99.1
Scan saved at 10:56:43 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\devldr32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"

3.Preventitive measures:

Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future:

How Did I Get Infected in the First Place


Regards,

Trevuren

  • 0

#15
trk95

trk95

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well buddy I was gonna immunize my comp today off of the link you provided and boom win fixer got me again. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 6:06:58 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\devldr32.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\tc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - E:\WINDOWS\system32\ddaxy.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFerret] E:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120225742533
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ddaxy - E:\WINDOWS\system32\ddaxy.dll
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP