Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP! [CLOSED]

Started by Jersey , Dec 08 2005 07:14 AM

  • This topic is locked This topic is locked

#1
Jersey
Posted 08 December 2005 - 07:14 AM

Jersey

    New Member

  • Member
  • Pip
  • 2 posts
I need help with getting rid of WinFixer pop-ups. I've tried all the recommended steps (adware scans, wirus scans,) and it still won't go away. I need help!! Please =) Log posted below

Logfile of HijackThis v1.99.1
Scan saved at 8:05:51 AM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CleanUp!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pharmacy.vcu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp....e=EN&prodOS=012
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\ddccc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /min
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk361YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_30.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 08 December 2005 - 10:02 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Jersey and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a mixture of malware and the dreaded Virtumonde (Vundo B) infection. Let’s see what we can do with the first sweep.

First, download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs, and remove the following:

New.Net Applications or New.Net Domains in fact (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet.
At the very bottom of that page, it will say:

For NewDotNet removal instructions, please click here

That's where you need to click to get to removal procedure 4 (ONLY if you can't find the New.Net in Add/Remove programs).

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet.. If nothing is listed under the "Remove Panel", do NOT do anything - just close the programme. You will need to use another computer to come back here for further instructions on what to do.

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter once.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ddccc.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\cccdd.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED: R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\svchost.exe
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\ddccc.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
    O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /min
    O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk361YYUS
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the programme then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programmes menu).
Set the programme up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the programme.

It may ask you to reboot at the end, click YES.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log from normal mode and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
Jersey
Posted 08 December 2005 - 05:53 PM

Jersey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I've followed everything you said to do...pretty easy step by step stuff. Here's everything you asked for =) Thank you so much! I think i still have a sick laptop at the moment, from the looks of all this stuff...*Jersey*

ActiveScan:

Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Holly\Favorites\TECHNOLOGY\Adware Remover.lnk
Adware:adware/wupd Not disinfected C:\WINDOWS\SYSTEM32\a95kfrhe.ini
Adware:adware/savenow Not disinfected C:\WINDOWS\SYSTEM32\ap2nqrd4.dat
Adware:adware/sahagent Not disinfected C:\WINDOWS\SYSTEM32\bqrufs5f.dat
Spyware:spyware/marketscore Not disinfected C:\WINDOWS\SYSTEM32\rk.bin
Spyware:spyware/apropos Not disinfected C:\PROGRAM FILES\AutoUpdate
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\01C4461B-57E2-4805-867C-730DBB
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\0CC8A306-AE11-4E9C-BDB2-D1A894
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\15221DFD-052A-4234-8F9B-0A705A
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\206BBE8D-DBDD-4BBA-A13E-75B5AF
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\26D561F9-73B1-41FA-9C41-5FD83C
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\3BC924AA-11DC-4115-82A8-D2D26B
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\55454A00-E896-4AC7-8F16-3D1A45
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\59DF049A-DEC6-41D8-9774-1B59B9
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\6D7FFB8D-1601-4B4E-B1CA-19550A
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\703A3840-A306-4C5E-BAA0-E8E75A
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\AFFA01DB-7468-4184-8311-6725FA
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02D489A1-7AF4-4E8B-9DAA-C8184E\FB33FB72-FC37-42C5-A2E1-1D41BC
Adware:Adware/PowerScan Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\157C492D-E0F6-4174-B09E-24262A\5EDE86C5-D677-4B94-AA61-22955D
Adware:Adware/PowerScan Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\157C492D-E0F6-4174-B09E-24262A\FEBDE5EE-381F-49DF-B23E-B4280B
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\17B216AB-BB53-42E8-80F3-C3E152\20A4307A-57F9-440C-9C06-4A8944
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\17B216AB-BB53-42E8-80F3-C3E152\35CE5828-C05A-4D55-B3DC-5D45EE
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\24CA688F-5528-4D2C-8A2A-73FD56\2BA5F513-5E03-4093-A1AC-635D48
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\24CA688F-5528-4D2C-8A2A-73FD56\FB0611D6-5424-4987-88E3-AD0676
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2B63DA0D-E10F-4781-9F43-5714C9\22C00002-4A2B-4D1F-B3BC-C11E5B
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2B63DA0D-E10F-4781-9F43-5714C9\5D39D52E-A91D-4027-99D2-A568A2
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2D0DA901-F7A7-416B-865B-617E90\26918BBC-B328-4223-A62B-6CE20E
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2D0DA901-F7A7-416B-865B-617E90\58DC3E23-BB84-4BC1-95B5-5EAF69
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2D0DA901-F7A7-416B-865B-617E90\5C3657BA-650E-427D-B008-5EAFED
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2D0DA901-F7A7-416B-865B-617E90\F8777D41-0B10-43F2-8C06-E8552E
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\316DF410-4A00-497A-A886-DBC395\8AD2A61D-065D-45E6-80DE-DF9AC3
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\316DF410-4A00-497A-A886-DBC395\A44A60CF-D2F7-4573-A040-7C6690
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\330D70CB-043F-4436-AB76-667BF3\6E31AB51-A16E-4729-B1A5-52BC23
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\330D70CB-043F-4436-AB76-667BF3\C6B584A2-E25D-45B9-9D88-CB0071
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7D8AC9D4-1422-4A3B-8AF6-015F36\4294DD28-BF13-4435-B720-603BA9
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7D8AC9D4-1422-4A3B-8AF6-015F36\636E82C7-98B6-40A3-AEFF-5BDEAE
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7D8AC9D4-1422-4A3B-8AF6-015F36\6F9C0394-3A1C-41D8-957A-963601
Adware:Adware/HuntBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7D8AC9D4-1422-4A3B-8AF6-015F36\73565FD1-AC08-4145-97A6-72D8D7
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7EF1184E-AF39-4195-BE9C-4CBED0\841979EC-9568-4298-8592-2AECA7
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81D10288-A226-4DBC-AB77-2F5367\9F13CAD7-D248-40C3-ABE4-272CD0
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81D10288-A226-4DBC-AB77-2F5367\CD5C4913-EDDF-4B1F-857D-6C7952
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\16C70303-E929-4714-99EE-87B19B
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\17414DA4-2C6C-4BB5-9B5A-BB642C
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\55B9BD86-40E4-487E-9ED5-87BC89
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\A0B0A680-B654-4C1F-9C93-C77BD4
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\AA7B2487-7BDD-43D3-9F16-54704E
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\CC0552F9-2684-42A4-BE13-279492
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\D0A19793-FA84-4BD3-A29F-9AD5BD
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9B5CBE5A-AF92-41B0-90C2-B5778D\D7BCFDF0-D4A6-45A5-B2E9-36AFFA
Adware:Adware/Gator Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C6B49B3-3394-40E2-A8A6-A2921F\66FEC0D7-3ED5-462D-8D02-54CCDC
Adware:Adware/Gator Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C6B49B3-3394-40E2-A8A6-A2921F\81C10EFB-FC36-4850-9FAF-A3F250
Spyware:Spyware/New.net Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A9D66D86-B252-45AD-AD85-9539A6\0FACACF6-7C60-491D-B606-325EEC
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AA31F8D0-8A06-4807-B462-DDC7A9\0919D726-DF71-48BA-80F4-319BAC
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3089C5B-B501-47DA-82E2-8EC103\E26C8C9F-2B66-4F0F-AEAC-A21502
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C859ADD7-10A0-4D1C-ACE3-0230F5\4BBE7C11-26F0-49C2-9C47-445EB6
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D41F2910-3C10-4547-9704-917E6A\0EB5B562-FC82-4930-88C5-BED062
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D41F2910-3C10-4547-9704-917E6A\4D0D6503-68B6-4AE4-91C9-CD7046
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D41F2910-3C10-4547-9704-917E6A\AE6E938B-0303-43BA-9C72-8AFABD
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E05658A8-F34F-4ABF-85AC-2BB31D\09D38C27-BEFE-437D-BC61-78D862
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E05658A8-F34F-4ABF-85AC-2BB31D\1BD2FEA6-7BD6-4226-845A-6FB267
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E05658A8-F34F-4ABF-85AC-2BB31D\BA8C6C0B-AE3D-4DBB-BD84-73B63C
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E3512302-E568-45FC-95D7-EA07D9\4091354D-310D-4CB4-9AE3-322F04
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E3512302-E568-45FC-95D7-EA07D9\F20B898D-52D1-43F2-AF15-CB3800
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E3D8BA65-F9DD-4FA8-A303-18168B\2E66617D-AE12-43BE-BFA5-158625
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E3D8BA65-F9DD-4FA8-A303-18168B\CA9C778F-5494-49F2-9514-6DCED0
Adware:Adware/Dyfuca Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\ED959E8B-80BB-410F-A66F-F1A659\F847AEA1-AFA8-4A21-8B07-644967
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EFBCDB38-8E15-4110-8366-37C1BB\2510F4B6-2EAB-4FD6-81F6-5BE5F4
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EFBCDB38-8E15-4110-8366-37C1BB\2DD6865C-EF17-4474-9007-D524AA
Adware:Adware/WinTools Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EFBCDB38-8E15-4110-8366-37C1BB\3E22CC2A-BEB7-4E8E-889C-DA817E
Adware:Adware/WUpd Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FCBC72D1-C4BB-4EBC-B9A1-6213D3\7BE11C45-B47B-44BD-9C08-F02664
Adware:Adware/WUpd Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FCBC72D1-C4BB-4EBC-B9A1-6213D3\9E0E8FC5-6C9E-402D-9ED9-DB3761
Adware:Adware/WUpd Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FCBC72D1-C4BB-4EBC-B9A1-6213D3\F296DC68-434E-4ADC-8A2A-6727E1
Adware:Adware/IST.ISTBar Not disinfected C:\tmp.exe
Adware:Adware/IST.ISTBar Not disinfected C:\tmp.exe[gamma.exe]
Adware:Adware/WinAD Not disinfected C:\tmp.exe[lc.exe]
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\gamma.exe.tcf
Adware:Adware/WinAD Not disinfected C:\WINDOWS\lc.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\in3.dll.tcf
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pmnlk.dll
Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\system32\rk.bin
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\umqltg4cl.exe
Spyware:Spyware/New.net Not disinfected D:\NNuninstall.exe
HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:42:43 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

Vundofix:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ddccc.dll

The second filepath entered was C:\WINDOWS\system32\cccdd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 152 'smss.exe'

Killing PID 744 'explorer.exe'
Killing PID 744 'explorer.exe'
Killing PID 744 'explorer.exe'
Killing PID 744 'explorer.exe'


Killing PID 228 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ddccc.dll Deleted sucessfully.
C:\WINDOWS\system32\cccdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
[/size]
  • 0

#4
Crustyoldbloke
Posted 13 December 2005 - 03:48 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

A member of staff saw your reply in a new thread and alerted me to the fact that you had replied.

Please do not start new threads; I do not get notified of your reply unless it is in this thread.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:AproposFix
Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#5
Crustyoldbloke
Posted 23 December 2005 - 03:20 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP