Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer 2005 [CLOSED]

Started by 13thwonder , Nov 22 2005 12:14 PM

  • This topic is locked This topic is locked

#1
13thwonder
Posted 22 November 2005 - 12:14 PM

13thwonder

    Member

  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:10:03 PM, on 11/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjc\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

Advertisements

#2
OwNt
Posted 22 November 2005 - 01:42 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, 13thwonder.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\ddawu.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\uwadd.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll
    O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
13thwonder
Posted 22 November 2005 - 02:52 PM

13thwonder

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
hey, im doing the Active Scan right now, it gave me a choice of what to check, i just clicked on My Computer, am i suppposed to scan all of the choices? Also, after i ran the CleanUP! program, i rebooted accidently, did that mess anything up?
  • 0

#4
OwNt
Posted 22 November 2005 - 03:03 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, 13thwonder.

My computer was the right choice.

Rebooting didn't hurt anything, no.

May I see the logs, though?
  • 0

#5
13thwonder
Posted 22 November 2005 - 03:12 PM

13thwonder

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\ddawu.dll

The second filepath entered was C:\WINDOWS\System32\uwadd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'


Killing PID 200 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\ddawu.dll Deleted sucessfully.
C:\WINDOWS\System32\uwadd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




============================

Logfile of HijackThis v1.99.1
Scan saved at 4:11:40 PM, on 11/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjc\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



===============

the Activescan is still running....

Edited by 13thwonder, 22 November 2005 - 03:12 PM.

  • 0

#6
13thwonder
Posted 22 November 2005 - 03:21 PM

13thwonder

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
here is the active scan report...


Incident Status Location

Adware:adware/azesearch Not disinfected C:\myvbs.vbs
Spyware:spyware/virtumonde Not disinfected Windows Registry
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\acs\acssetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\asp\aspsetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\coach\aolcinst.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\deskbar\deskbr.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\flash\flashax.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\ocp\ocpinst.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\port\pmsetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\qt\qt.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\sysinfo\sinfinst.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\tb\tbsetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\toolbar\toolbr.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\tpspd\tssetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\comps\vwpt\vwpt.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\itunessetup.exe
Virus:W32/Jeefo Not disinfected C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpitunes_setupSTUS\setup90.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-3c2eb8aa-271e6688.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-2133b899-71ddf77b.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-954a4ec-34762b31.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1543d5aa-4f34d3f0.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1543d5aa-4f34d3f0.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1543d5aa-4f34d3f0.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Devon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1543d5aa-4f34d3f0.zip[Installer.class]
Virus:W32/Jeefo Not disinfected C:\Download\Azureus_2.3.0.2_Win32.setup.exe
Virus:W32/Jeefo Not disinfected C:\downloads\BitTorrent-3.4.2.exe
Virus:W32/Jeefo Not disinfected C:\downloads\HijackThis.exe
Virus:W32/Jeefo Not disinfected C:\downloads\spybotsd13.exe
Virus:W32/Jeefo Not disinfected C:\DRIVERS\MOUSE\ONBOARD\APOINT.EXE
Virus:W32/Jeefo Not disinfected C:\DRIVERS\MOUSE\ONBOARD\EZCAPT.EXE
Virus:W32/Jeefo Not disinfected C:\DRIVERS\MOUSE\ONBOARD\UNINSTAP.EXE
Virus:W32/Jeefo Not disinfected C:\hjc\HijackThis.exe
Virus:W32/Jeefo Not disinfected C:\I386\accwiz.exe
Virus:W32/Jeefo Not disinfected C:\I386\AGENTSVR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\CONF.EXE
Virus:W32/Jeefo Not disinfected C:\I386\DLIMPORT.EXE
Virus:W32/Jeefo Not disinfected C:\I386\DRW\DWWIN.EXE
Virus:W32/Jeefo Not disinfected C:\I386\DWWIN.EXE
Virus:W32/Jeefo Not disinfected C:\I386\dxdiag.exe
Virus:W32/Jeefo Not disinfected C:\I386\EUDCEDIT.EXE
Virus:W32/Jeefo Not disinfected C:\I386\fxsclnt.exe
Virus:W32/Jeefo Not disinfected C:\I386\fxscover.exe
Virus:W32/Jeefo Not disinfected C:\I386\HELPCTR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\ICWCONN1.EXE
Virus:W32/Jeefo Not disinfected C:\I386\KB814078.EXE
Virus:W32/Jeefo Not disinfected C:\I386\KB823182.EXE
Virus:W32/Jeefo Not disinfected C:\I386\KB825119.EXE
Virus:W32/Jeefo Not disinfected C:\I386\KB828035.EXE
Virus:W32/Jeefo Not disinfected C:\I386\KB838989.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Keyhook.exe
Virus:W32/Jeefo Not disinfected C:\I386\LOGONUI.EXE
Virus:W32/Jeefo Not disinfected C:\I386\migwiz.exe
Virus:W32/Jeefo Not disinfected C:\I386\MIGWIZ_A.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MMC.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MOBSYNC.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MPLAY32.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MSHEARTS.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MSPAINT.EXE
Virus:W32/Jeefo Not disinfected C:\I386\MSTSC.EXE
Virus:W32/Jeefo Not disinfected C:\I386\NETSETUP.EXE
Virus:W32/Jeefo Not disinfected C:\I386\orun32.exe
Virus:W32/Jeefo Not disinfected C:\I386\osk.exe
Virus:W32/Jeefo Not disinfected C:\I386\ounins32_s.exe
Virus:W32/Jeefo Not disinfected C:\I386\PINBALL.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q327979.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q328213.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q329112.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q329623.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q329909.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q811789.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q813862.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q816486.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q816981.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q817472.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q817611.EXE
Virus:W32/Jeefo Not disinfected C:\I386\Q831167.EXE
Virus:W32/Jeefo Not disinfected C:\I386\QTPluginInstaller.exe
Virus:W32/Jeefo Not disinfected C:\I386\REGEDIT.EXE
Virus:W32/Jeefo Not disinfected C:\I386\RSTRUI.EXE
Virus:W32/Jeefo Not disinfected C:\I386\SETUP_WM.EXE
Virus:W32/Jeefo Not disinfected C:\I386\sistray.exe
Virus:W32/Jeefo Not disinfected C:\I386\SNDREC32.EXE
Virus:W32/Jeefo Not disinfected C:\I386\SNDVOL32.EXE
Virus:W32/Jeefo Not disinfected C:\I386\SPIDER.EXE
Virus:W32/Jeefo Not disinfected C:\I386\SYSOCMGR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\SYSPARSE.EXE
Virus:W32/Jeefo Not disinfected C:\I386\TASKMGR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\tfswcmd.exe
Virus:W32/Jeefo Not disinfected C:\I386\tfswctrl.exe
Virus:W32/Jeefo Not disinfected C:\I386\TOUR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\tourstart.exe
Virus:W32/Jeefo Not disinfected C:\I386\UNREGMP2.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WBEMTEST.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WIAACMGR.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WINMINE.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WMIADAP.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WMIPRVSE.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WMPLAYER.EXE
Virus:W32/Jeefo Not disinfected C:\I386\WSCRIPT.EXE
Virus:W32/Jeefo Not disinfected C:\I386\wuauclt.exe
Virus:W32/Jeefo Not disinfected C:\I386\wuauclt1.exe
Virus:Trj/Downloader.CVB Not disinfected C:\ms32.tmp
Virus:W32/Jeefo Not disinfected C:\Program Files\3ivx\3ivx D4 4.5.1\3ivxConfig.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\ImageReady.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Required\Droplet Template.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Aged Photo.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Conditional Mode Change.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Constrain to 300 pixels.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Constrain to 64 pixels.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Drop Shadow Frame.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Make Button.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Make Sepia Tone.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Save As JPEG Medium.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Adobe\Photoshop 7.0\Samples\Droplets\Photoshop Droplets\Save As Photoshop PDF.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\aom.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\ar505enu.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\autopatcher.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\dw15.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\instapup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Age of Mythology\UNINSTAL.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\aimauto.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\Sysfiles\AIMWDInstall.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\Sysfiles\viewpoint.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\uninstll.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\AIM\unwise32.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\AOD\AolAod.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Apoint\Apoint.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Apoint\Ezcapt.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Apoint\Uninstap.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Azureus\Azureus.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Adobe\Workflow\AdobeWorkgroupHelper.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\AOL\Backup\ACS\Current\US\acssetup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acssetup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Borland Shared\BDE\bdeadmin.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Corel\Shared\Writing Tools\12\WT12sptlEN.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\knlwrap.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Microsoft Shared\Office10\DW.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Nullsoft\ActiveX\2.3\AOLMediaPlaybackControl.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Nullsoft\ActiveX\2.4\AOLMediaPlaybackControl.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Nullsoft\ActiveX\AOLMediaPlaybackControl.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\coolpro2\COOLTIPS.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.EXE
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Digital Jukebox Drivers\PdeSrv2.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\JBSeries2Drv\PdeSrv2.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{24C8EE9E-CACE-4C60-8B1F-E2317BC2B510}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{24F30DB9-CBD0-420A-B39D-3BB5655E5334}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{542A04D2-5975-4FE3-9B47-8A708648CEA9}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{6BA84DD0-959B-47F3-A69E-908FA76FB07A}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{7034285D-DFC3-42E5-B957-93A2622BC737}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{8FDE0001-5FA4-45E6-8BD8-61EDEFE3EFDC}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{932A7BED-387F-440F-9C95-F77FC6A4B843}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{B661BAD0-C7B4-40A0-AA2E-64612316D766}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{BEF6363C-7A4A-421D-903C-24D785FF7B7B}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{E98B553D-C3DD-440C-AB4C-DA61E6AF72F4}.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\PCM2.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\Media Experience\PCMService.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\SolutionCenter\DellSC.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Dell\SolutionCenter\Register.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\DivX\DivX\bgregister.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\DivX\DivX Player\DivX Player.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\EA GAMES\The Sims 2\TSBin\Sims2a.old.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\EA GAMES\The Sims 2\TSBin\Sims2exe.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Google\Gmail Notifier\gnotify.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Google\Google Talk\googletalk-1.0.0.76\googletalk-setup-upgrade.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{138EE4BB-1288-4C13-9309-F934E47083F2}\setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{15F5C98B-756F-4752-8820-5D91A155A3BD}\setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{3AF92CF6-1231-4579-9FAC-B3FEC1A7C053}\setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{55332E6C-F97D-4F90-92A6-86C75BA49EFB}\setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{B43F0944-1C3D-4ADF-9D53-A93963A50B7D}\setup.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\is.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
Virus:W32/Jeefo Not disinfected C:\Program Files\Java\j2re1.4.2_03\javaws\javaws.exe
  • 0

#7
OwNt
Posted 22 November 2005 - 03:28 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, 13thwonder.

Please open Hijackthis, scan, and place a checkmark by the following entries:

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll (file missing)
O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)

Close all open windows/browsers and click Fix Checked.

Please then download AVG and install it. Reboot if it asks.

Then do a Full System Scan with it.

Post back the results of the AVG scan and a new Hijackthis log, please.
  • 0

#8
13thwonder
Posted 22 November 2005 - 04:41 PM

13thwonder

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:36:43 PM, on 11/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\hjc\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


======


how do i post the results of the AVG scan?
  • 0

#9
OwNt
Posted 22 November 2005 - 07:32 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, 13thwonder.

I just need you to tell me, after you did the full systen scan, did it find anything it didn't repair/quarantine/delete?

Please open Hijackthis, scan, and place a checkmark by the following entries:

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\ddawu.dll (file missing)
O20 - Winlogon Notify: ddawu - C:\WINDOWS\System32\ddawu.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmi.exe (file missing)

Close all open windows/browsers and click Fix Checked.

I'd also like you to see if a file is legit or not.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\svchost.exe
  • Click on the submit button
  • Please post the results in your next reply.
Please reboot and post a fresh Hijackthis log.
  • 0

#10
OwNt
Posted 04 December 2005 - 09:12 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP