Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Intermittent internet and other stuff!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Intermittent internet and other stuff!

Unread postby Grezza » November 3rd, 2006, 4:35 pm

My pc seems to be in a bit of a mess.
AdAware and Spybot always pick up stuff and AVG constantly says I've been infected by a trojan, namely downloader.Generic.VES.
But my main concern is that I.E. says "page won't load" after merrily surfing for a period of time. Then it just works again. I can be offline for minutes or hours, after surfing for minutes or hours.
I can't load any pages at all from any website.
Spookily I can ping successfully during the downtime.
I have an incling that remants of McAfee are doing this but can't seem to get rid, even using HJT.
Anyway, here's my HJT log, any help gratefully received.

Logfile of HijackThis v1.99.1
Scan saved at 19:52:27, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mmxonehour.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\eraseme_7526.exe
C:\WINDOWS\TEMP\eraseme_7526.exe
C:\Program Files\Common Files\{4875D8BB-087A-1033-0422-04040623002c}\Update.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [startmmdoit] C:\WINDOWS\mmxonehour.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Microsoft Language Service (Windows Language Service) - Unknown owner - C:\WINDOWS\alg.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm
Advertisement
Register to Remove

Unread postby Trogan » November 4th, 2006, 6:59 am

Hi Grezza, welcome to the Malware Removal Forum! :)

Unfortunately, I do not have good news for you. The computer has multiple infections, including a backdoor. This gives intruders complete control of your computer, logging key strokes, stealing information, etc. :(
You are strongly advised to do the following immediately!:
  • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
      Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

Should you have any questions, please feel free to ask

Please let me know your decision and we'll get started with clean up if that's what you choose.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 4th, 2006, 3:44 pm

I would rather do a proper clean, so fire away, I'll be as obedient as possible!!

G.
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 4th, 2006, 4:27 pm

Hi again Grezza! Lets try to clean the computer. Some things to do before we start the main fix.

First, you have HijackThis on your D: drive, but I see the C: drive is your primary drive where Windows is installed on. It is important that the HijackThis is installed on main drive (C: ), therefore could you place a copy of HijackThis to your C:\ drive and delete it from your D: drive please. Make sure HijackThis is in its own folder too.

Next, I don't see any indication of a Firewall in your HijackThis log. This may be because:

(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.

In the case you don't have a Firewall, please download one from the list below - They are Free!

Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
__________________________

ON WITH THE FIX

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • A report.txt will be created in the SDFix folder. Please keep that safe as I'll need to see it soon.
Now, I would like to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.

Next, locate HijackThis and rename it to HJT. This step is very important as there are infections hiding from HijackThis, and for this reason why the renaming needs to be done.

Please post the following back here:

1) Uninstall list
2) Contents of Report.txt from the SDFix folder
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 4th, 2006, 6:11 pm

Thanks for everything you've done so far.
I've followed it all to the letter.
I won't be able to continue until the morningso please don't think I've given up!!

Here's what you asked for:

Uninstall list:
3D Groove Playback Engine
888Bar
Abacast Client
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Premiere 6.0
Adobe Reader 7.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Ahead Nero Burning ROM
Ahead NeroVision Express
Alcatel SpeedTouch USB Software
Allofmp3 Explorer
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
AVG Free Edition
Belarc Advisor 6.1
Camel's MPEGJoin
Canon i550
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon ScanGear Toolbox CS 2.2
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
CCleaner (remove only)
C-Media WDM Audio Driver
Creative DVD Audio Plugin for Audigy Series
Cricket 2004
Dan Elwell's Broadband Speed Test
Disk Investigator v1.31
DVD Shrink 3.2
DVD-lab 1.1
File Scavenger 2.1
Google Earth
HijackThis 1.99.1
ImageMixer with VCD
iPod for Windows 2006-01-10
iPod Updater 2004-11-15
iTunes
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.2_06
L&H TTS3000 British English
LEGO Star Wars
LimeWire
LimeWire 4.8.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Messenger Plus! 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Small Business
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MicroStaff WINASPI
MSN Messenger 7.5
MSN Toolbar
NEATO MediaFACE
PE Builder v3.1.3
Philips ThumbCam
Philips ThumbCam Photo Manager
Photodex Presenter
PL-2303 USB-to-Serial
PowerDVD
QuickTime
RealPlayer
Registry Mechanic 5.0
Screensavers Installer
SeaWorld Adventure Park Tycoon
SequoiaView
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
Snowflake Screen Saver
Sonic MyDVD
Spybot - Search & Destroy 1.4
Spyware Doctor 3.5
Studio 9.0 Installpath Updater
The Sims 2 Open For Business
The Sims Makin' Magic
Tweakui Powertoy for Windows XP
Ulead VideoStudio 8.0
Uninstall CEDP Stealer 4.0 for MSN Messenger
Uninstall EZ Emoticons for MSN Messenger 6 and 7
Verbot 4 Player
VSAdd-in for Internet Explorer
Windows Live Safety Scanner
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinRAR archiver
WinZip
XoftSpySE
xp-AntiSpy 3.96-2
ZoneAlarm


Report.txt
SDFix: Version 1.35
-------------------

Scan run on:
04/11/2006

Time:
21:52


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Name:
-----

msidll
Windows Language Service

Path:
----

"C:\WINDOWS\system\msidll.exe"
"C:\WINDOWS\alg.exe"


msidll Deleted...
Windows Language Service Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\8R4BODE9\BEAR_1~1.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C7E9GN0J\MMXONE~1.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\8R4BODE9\BEAR_1~1.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C7E9GN0J\MMXONE~1.EXE
C:\HNTJ.EXE
C:\IJHQEDRJ.EXE
C:\OGRM.EXE
C:\OUIEF.EXE
C:\PVGCGJ.EXE
C:\QYRIH.EXE
C:\SCGR.EXE
C:\YVFAMWQQ.EXE
C:\WINDOWS\Prefetch\ERASEME_10194.EXE-26AFB711.pf
C:\WINDOWS\Prefetch\ERASEME_1065.EXE-01A391F6.pf
C:\WINDOWS\Prefetch\ERASEME_7526.EXE-303BD1B7.pf
C:\WINDOWS\Prefetch\ERASEME_9492.EXE-0C910C63.pf
C:\WINDOWS\Temp\eraseme_10194.exe
C:\WINDOWS\Temp\eraseme_1065.exe
C:\WINDOWS\Temp\eraseme_7526.exe
C:\WINDOWS\Temp\eraseme_78663.exe
C:\uniq
C:\WINDOWS\alg.exe
C:\WINDOWS\system32\setup_45818.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 22:02:59, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mmxonehour.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [startmmdoit] C:\WINDOWS\mmxonehour.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Cheers,

Grezza.
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 5th, 2006, 3:30 am

Thanks for the logs. I'm getting something verified so I'll be back with new instructions soon.

But for now, you renamed the folder as shown here:

C:\HJT\HijackThis.exe

I need you to rename HijackThis.exe to HJT. If you could do that, and post a new log that would be great.

Thanks! :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 5th, 2006, 4:41 am

I hope I was right keeping HJT as an exe file. cos I couldn't run it otherwise.
Here's the log,
Cheers,
G.

Logfile of HijackThis v1.99.1
Scan saved at 08:38:18, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mmxonehour.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {244963CD-A4F6-4D67-AD53-40208917DCFE} - (no file)
O2 - BHO: (no name) - {2565F898-D22A-47BC-AC19-DD742BE8A86E} - (no file)
O2 - BHO: (no name) - {2856021F-4568-454E-8F4D-501BA83D80AA} - C:\WINDOWS\system32\xxyyxvu.dll
O2 - BHO: (no name) - {29B0F496-7B7D-4FEB-A221-3E1916B64255} - C:\WINDOWS\system32\pmkjh.dll
O2 - BHO: (no name) - {2E905173-2E57-4A28-BF5E-143FDA1393D3} - (no file)
O2 - BHO: (no name) - {3F47C9DA-46EC-4DBC-926C-6754693A0931} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55114F1A-EB8C-4BDE-805A-F08F878B0661} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {68C89C9A-E594-4CB7-AEDD-98D7E1B42552} - (no file)
O2 - BHO: (no name) - {6B827DDD-7D35-4AFA-8D81-713B47D74A88} - (no file)
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {8019DD99-293B-4338-B266-8031D4D5AC13} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O2 - BHO: (no name) - {C2C55A2D-8329-41A7-A6D4-3B7C9D34440B} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\cgbtsdlr.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [startmmdoit] C:\WINDOWS\mmxonehour.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O20 - Winlogon Notify: cbxuttt - C:\WINDOWS\SYSTEM32\cbxuttt.dll
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\
O20 - Winlogon Notify: DIFx - C:\WINDOWS\
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\
O20 - Winlogon Notify: tuvuvsr - C:\WINDOWS\
O20 - Winlogon Notify: vturq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyyxvu - C:\WINDOWS\SYSTEM32\xxyyxvu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 5th, 2006, 5:37 am

Hi Grezza!

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following line into the Step 1: Paste Text window:

C:\WINDOWS\atapid.exe
C:\WINDOWS\eiRecvr.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next please visit SpyKillers forum here

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Read the instructions for uploading files which is the first topic on the forum, then start a new Topic named 'IRCbot files for AndyManchesta', please then post a link to this thread and upload the requested files.cab archive from your desktop.
_______________________

Next, I need you to scan a file please:
  • Go to VirusTotal
  • Copy and paste the following file path into the Search Box at the top of the page:
  • C:\WINDOWS\system32\xxyyxvu.dll
  • Click on the Send button
  • Please post the results in your next reply.
_______________________

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next post

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

_______________________

Please post the following:

1) Scan results
2) contents of C:\vundofix.txt
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 5th, 2006, 11:01 am

As requested:

STATUS: FINISHEDComplete scanning result of "xxyyxvu.dll_", received in VirusTotal at 11.05.2006, 15:54:56 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.03.2006 no virus found
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 no virus found
AVG 386 11.04.2006 no virus found
BitDefender 7.2 11.05.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.05.2006 no virus found
DrWeb 4.33 11.05.2006 no virus found
eTrust-InoculateIT 23.73.45 11.03.2006 no virus found
eTrust-Vet 30.3.3176 11.03.2006 Win32/Chisyne!generic
Ewido 4.0 11.05.2006 no virus found
Fortinet 2.82.0.0 11.05.2006 suspicious
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.03.2006 no virus found
Kaspersky 4.0.2.24 11.05.2006 no virus found
McAfee 4888 11.03.2006 no virus found
Microsoft 1.1609 11.04.2006 no virus found
NOD32v2 1.1853 11.03.2006 no virus found
Norman 5.80.02 11.03.2006 no virus found
Panda 9.0.0.4 11.04.2006 Suspicious file
Sophos 4.10.0 10.26.2006 no virus found
TheHacker 6.0.1.112 11.03.2006 no virus found
UNA 1.83 11.03.2006 no virus found
VBA32 3.11.1 11.04.2006 no virus found
VirusBuster 4.3.15:9 11.05.2006 no virus found


Aditional Information
File size: 40973 bytes
MD5: 4a7d1491a91f2059400205864298682a
SHA1: 5c129811719dd44eb1184529ad73aca0556baf2f
packers: PECRYPT


VundoFix V4.2.33

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Scan started at 18:00:09 13/03/2006

Listing files found while scanning....


No infected files were found.


VundoFix V6.1.5

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Java version is 1.5.0.3

Scan started at 18:00:27 23/09/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Java version is 1.5.0.3

Scan started at 14:39:50 05/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqqpp.dll
C:\WINDOWS\system32\awtrrpq.dll
C:\WINDOWS\system32\awtrrrp.dll
C:\WINDOWS\system32\awtrssp.dll
C:\WINDOWS\system32\awtuuvu.dll
C:\WINDOWS\system32\byxuvut.dll
C:\WINDOWS\system32\byxvwxv.dll
C:\WINDOWS\system32\byxwvvs.dll
C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxyaxy.dll
C:\WINDOWS\system32\ddcawww.dll
C:\WINDOWS\system32\ddccbbx.dll
C:\WINDOWS\system32\ddcdaxu.dll
C:\WINDOWS\system32\ddcdbba.dll
C:\WINDOWS\system32\ddcdebx.dll
C:\WINDOWS\system32\efcaayv.dll
C:\WINDOWS\system32\efcywxw.dll
C:\WINDOWS\system32\fccbxxx.dll
C:\WINDOWS\system32\fcccyvt.dll
C:\WINDOWS\system32\gebcdba.dll
C:\WINDOWS\system32\gebxvtt.dll
C:\WINDOWS\system32\gebxvwx.dll
C:\WINDOWS\system32\hggdabc.dll
C:\WINDOWS\system32\hggebcy.dll
C:\WINDOWS\system32\hgggefc.dll
C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iiffeec.dll
C:\WINDOWS\system32\iifgedd.dll
C:\WINDOWS\system32\iifghgf.dll
C:\WINDOWS\system32\khfdaxv.dll
C:\WINDOWS\system32\khffecc.dll
C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\ljjgede.dll
C:\WINDOWS\system32\ljjihhe.dll
C:\WINDOWS\system32\ljjkkjk.dll
C:\WINDOWS\system32\mljghif.dll
C:\WINDOWS\system32\mljhffe.dll
C:\WINDOWS\system32\mljijgh.dll
C:\WINDOWS\system32\opnmlmn.dll
C:\WINDOWS\system32\opnmnll.dll
C:\WINDOWS\system32\opnnljk.dll
C:\WINDOWS\system32\pmnkhfe.dll
C:\WINDOWS\system32\pmnmnkj.dll
C:\WINDOWS\system32\qomkhhh.dll
C:\WINDOWS\system32\rqrpooo.dll
C:\WINDOWS\system32\rqrrrrp.dll
C:\WINDOWS\system32\ssqpnli.dll
C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqqrrq.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\tuvtust.dll
C:\WINDOWS\system32\tuvutqq.dll
C:\WINDOWS\system32\tuvuvsq.dll
C:\WINDOWS\system32\tuvuvsr.dll
C:\WINDOWS\system32\tuvwuur.dll
C:\WINDOWS\system32\urqpnkk.dll
C:\WINDOWS\system32\urqrrpn.dll
C:\WINDOWS\system32\vjgnctpn.dll
C:\WINDOWS\system32\vtutusq.dll
C:\WINDOWS\system32\wvussrq.dll
C:\WINDOWS\system32\wvustut.dll
C:\WINDOWS\system32\wvutstt.dll
C:\WINDOWS\system32\wvuvwtr.dll
C:\WINDOWS\system32\xxyabaa.dll
C:\WINDOWS\system32\yayvwus.dll
C:\WINDOWS\system32\yayxvvt.dll
C:\WINDOWS\system32\iyaohcmv.exe
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqqpp.dll
C:\WINDOWS\system32\awtqqpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrrpq.dll
C:\WINDOWS\system32\awtrrpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrrrp.dll
C:\WINDOWS\system32\awtrrrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrssp.dll
C:\WINDOWS\system32\awtrssp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtuuvu.dll
C:\WINDOWS\system32\awtuuvu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxuvut.dll
C:\WINDOWS\system32\byxuvut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvwxv.dll
C:\WINDOWS\system32\byxvwxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwvvs.dll
C:\WINDOWS\system32\byxwvvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxwuss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxyaxy.dll
C:\WINDOWS\system32\cbxyaxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcawww.dll
C:\WINDOWS\system32\ddcawww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccbbx.dll
C:\WINDOWS\system32\ddccbbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdaxu.dll
C:\WINDOWS\system32\ddcdaxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdbba.dll
C:\WINDOWS\system32\ddcdbba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdebx.dll
C:\WINDOWS\system32\ddcdebx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcaayv.dll
C:\WINDOWS\system32\efcaayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcywxw.dll
C:\WINDOWS\system32\efcywxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccbxxx.dll
C:\WINDOWS\system32\fccbxxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcccyvt.dll
C:\WINDOWS\system32\fcccyvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcdba.dll
C:\WINDOWS\system32\gebcdba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxvtt.dll
C:\WINDOWS\system32\gebxvtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxvwx.dll
C:\WINDOWS\system32\gebxvwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggdabc.dll
C:\WINDOWS\system32\hggdabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggebcy.dll
C:\WINDOWS\system32\hggebcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgggefc.dll
C:\WINDOWS\system32\hgggefc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iifccdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiffeec.dll
C:\WINDOWS\system32\iiffeec.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgedd.dll
C:\WINDOWS\system32\iifgedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifghgf.dll
C:\WINDOWS\system32\iifghgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfdaxv.dll
C:\WINDOWS\system32\khfdaxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffecc.dll
C:\WINDOWS\system32\khffecc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\khfgggg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgede.dll
C:\WINDOWS\system32\ljjgede.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjihhe.dll
C:\WINDOWS\system32\ljjihhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjkkjk.dll
C:\WINDOWS\system32\ljjkkjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljghif.dll
C:\WINDOWS\system32\mljghif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhffe.dll
C:\WINDOWS\system32\mljhffe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljijgh.dll
C:\WINDOWS\system32\mljijgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmlmn.dll
C:\WINDOWS\system32\opnmlmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmnll.dll
C:\WINDOWS\system32\opnmnll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnljk.dll
C:\WINDOWS\system32\opnnljk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkhfe.dll
C:\WINDOWS\system32\pmnkhfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnkj.dll
C:\WINDOWS\system32\pmnmnkj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkhhh.dll
C:\WINDOWS\system32\qomkhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpooo.dll
C:\WINDOWS\system32\rqrpooo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrrrp.dll
C:\WINDOWS\system32\rqrrrrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpnli.dll
C:\WINDOWS\system32\ssqpnli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqqomn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqrrq.dll
C:\WINDOWS\system32\ssqqrrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvtust.dll
C:\WINDOWS\system32\tuvtust.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvutqq.dll
C:\WINDOWS\system32\tuvutqq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvsq.dll
C:\WINDOWS\system32\tuvuvsq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvsr.dll
C:\WINDOWS\system32\tuvuvsr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwuur.dll
C:\WINDOWS\system32\tuvwuur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqpnkk.dll
C:\WINDOWS\system32\urqpnkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqrrpn.dll
C:\WINDOWS\system32\urqrrpn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjgnctpn.dll
C:\WINDOWS\system32\vjgnctpn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutusq.dll
C:\WINDOWS\system32\vtutusq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvussrq.dll
C:\WINDOWS\system32\wvussrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvustut.dll
C:\WINDOWS\system32\wvustut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvutstt.dll
C:\WINDOWS\system32\wvutstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvwtr.dll
C:\WINDOWS\system32\wvuvwtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyabaa.dll
C:\WINDOWS\system32\xxyabaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayvwus.dll
C:\WINDOWS\system32\yayvwus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayxvvt.dll
C:\WINDOWS\system32\yayxvvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iyaohcmv.exe
C:\WINDOWS\system32\iyaohcmv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 14:59:28, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mmxonehour.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {244963CD-A4F6-4D67-AD53-40208917DCFE} - (no file)
O2 - BHO: (no name) - {2565F898-D22A-47BC-AC19-DD742BE8A86E} - (no file)
O2 - BHO: (no name) - {2856021F-4568-454E-8F4D-501BA83D80AA} - C:\WINDOWS\system32\xxyyxvu.dll
O2 - BHO: (no name) - {29B0F496-7B7D-4FEB-A221-3E1916B64255} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {2E905173-2E57-4A28-BF5E-143FDA1393D3} - (no file)
O2 - BHO: (no name) - {3F47C9DA-46EC-4DBC-926C-6754693A0931} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55114F1A-EB8C-4BDE-805A-F08F878B0661} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {68C89C9A-E594-4CB7-AEDD-98D7E1B42552} - (no file)
O2 - BHO: (no name) - {6B827DDD-7D35-4AFA-8D81-713B47D74A88} - (no file)
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {8019DD99-293B-4338-B266-8031D4D5AC13} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O2 - BHO: (no name) - {C2C55A2D-8329-41A7-A6D4-3B7C9D34440B} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\cgbtsdlr.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [startmmdoit] C:\WINDOWS\mmxonehour.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O20 - Winlogon Notify: cbxuttt - C:\WINDOWS\SYSTEM32\cbxuttt.dll
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\
O20 - Winlogon Notify: DIFx - C:\WINDOWS\
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\
O20 - Winlogon Notify: tuvuvsr - C:\WINDOWS\
O20 - Winlogon Notify: vturq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyyxvu - C:\WINDOWS\SYSTEM32\xxyyxvu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 5th, 2006, 11:45 am

Hi Grezza! Thanks for doing everything so far. :)

Lets continue:

Please go to uploadmalware.com

Put your username in the box, and post a link to this topic.

In the File(s) To Submit: box 1, copy and past the following:
C:\WINDOWS\system32\xxyyxvu.dll

Click on Send File and close the window
____________________________

Could you get this file scanned at VirusTotal and save the results please:

C:\WINDOWS\SYSTEM32\cbxuttt.dll
____________________________

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

888Bar
VSAdd-in for Internet Explorer

____________________________

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {244963CD-A4F6-4D67-AD53-40208917DCFE} - (no file)
O2 - BHO: (no name) - {2565F898-D22A-47BC-AC19-DD742BE8A86E} - (no file)
O2 - BHO: (no name) - {29B0F496-7B7D-4FEB-A221-3E1916B64255} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {2E905173-2E57-4A28-BF5E-143FDA1393D3} - (no file)
O2 - BHO: (no name) - {3F47C9DA-46EC-4DBC-926C-6754693A0931} - (no file)
O2 - BHO: (no name) - {55114F1A-EB8C-4BDE-805A-F08F878B0661} - (no file)
O2 - BHO: (no name) - {68C89C9A-E594-4CB7-AEDD-98D7E1B42552} - (no file)
O2 - BHO: (no name) - {6B827DDD-7D35-4AFA-8D81-713B47D74A88} - (no file)
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {8019DD99-293B-4338-B266-8031D4D5AC13} - (no file)
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll
O2 - BHO: (no name) - {C2C55A2D-8329-41A7-A6D4-3B7C9D34440B} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\cgbtsdlr.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3875D8BB-087A-1033-0422-04040623002c}\888Bar.dll

O4 - HKLM\..\Run: [startmmdoit] C:\WINDOWS\mmxonehour.exe

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe

O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\
O20 - Winlogon Notify: DIFx - C:\WINDOWS\
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\
O20 - Winlogon Notify: tuvuvsr - C:\WINDOWS\
O20 - Winlogon Notify: vturq - C:\WINDOWS\

O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
____________________________

Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\mmxonehour.exe

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!
____________________________

Lets run VundoFix again, but slightly than before
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click Add more file?
  • Copy & Paste the 2 entries below into the top 2 boxes

    • C:\WINDOWS\system32\xxyyxvu.dll
    • C:\WINDOWS\system32\uvxyyxx.*
  • Click Add Files and click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • A new C:\vundofix.txt file should be created. Please keep it safe.
____________________________

Please post the following:

1) Scan result
2) Contents of C:\vundofix.txt
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 6th, 2006, 6:46 am

Sorry about the late reply, work doesn't half get in the way sometimes!!
Thanks for your continued support.
I followed your instructions faithfully.
Here are the things you've asked for, and I also submitted the file too.
G.

STATUS: FINISHED
Complete scanning result of "cbxuttt.dll", received in VirusTotal at 11.06.2006, 11:07:51 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.37 11.06.2006 no virus found
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 no virus found
AVG 386 11.04.2006 no virus found
BitDefender 7.2 11.06.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.06.2006 no virus found
DrWeb 4.33 11.06.2006 no virus found
eTrust-InoculateIT 23.73.47 11.06.2006 no virus found
eTrust-Vet 30.3.3178 11.06.2006 no virus found
Ewido 4.0 11.05.2006 Adware.Virtumonde
Fortinet 2.82.0.0 11.06.2006 no virus found
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.05.2006 no virus found
Kaspersky 4.0.2.24 11.06.2006 no virus found
McAfee 4888 11.03.2006 no virus found
Microsoft 1.1609 11.06.2006 no virus found
NOD32v2 1.1854 11.06.2006 no virus found
Norman 5.80.02 11.03.2006 no virus found
Panda 9.0.0.4 11.06.2006 no virus found
Sophos 4.10.0 10.26.2006 no virus found
TheHacker 6.0.1.112 11.03.2006 no virus found
UNA 1.83 11.03.2006 no virus found
VBA32 3.11.1 11.06.2006 no virus found
VirusBuster 4.3.15:9 11.05.2006 no virus found

Aditional Information
File size: 40973 bytes
MD5: 75cd9dae981b1ad5e7db21382d343ab6
SHA1: d86967da6fec121510b38f4c09f87d3602c00a38


Checking Java version...

Java version is 1.4.2.6
VundoFix V4.2.33

Java version is 1.5.0.2

Scan started at 18:00:09 13/03/2006

Listing files found while scanning....


No infected files were found.


VundoFix V6.1.5

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Java version is 1.5.0.3

Scan started at 18:00:27 23/09/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Java version is 1.5.0.3

Scan started at 14:39:50 05/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqqpp.dll
C:\WINDOWS\system32\awtrrpq.dll
C:\WINDOWS\system32\awtrrrp.dll
C:\WINDOWS\system32\awtrssp.dll
C:\WINDOWS\system32\awtuuvu.dll
C:\WINDOWS\system32\byxuvut.dll
C:\WINDOWS\system32\byxvwxv.dll
C:\WINDOWS\system32\byxwvvs.dll
C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxyaxy.dll
C:\WINDOWS\system32\ddcawww.dll
C:\WINDOWS\system32\ddccbbx.dll
C:\WINDOWS\system32\ddcdaxu.dll
C:\WINDOWS\system32\ddcdbba.dll
C:\WINDOWS\system32\ddcdebx.dll
C:\WINDOWS\system32\efcaayv.dll
C:\WINDOWS\system32\efcywxw.dll
C:\WINDOWS\system32\fccbxxx.dll
C:\WINDOWS\system32\fcccyvt.dll
C:\WINDOWS\system32\gebcdba.dll
C:\WINDOWS\system32\gebxvtt.dll
C:\WINDOWS\system32\gebxvwx.dll
C:\WINDOWS\system32\hggdabc.dll
C:\WINDOWS\system32\hggebcy.dll
C:\WINDOWS\system32\hgggefc.dll
C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iiffeec.dll
C:\WINDOWS\system32\iifgedd.dll
C:\WINDOWS\system32\iifghgf.dll
C:\WINDOWS\system32\khfdaxv.dll
C:\WINDOWS\system32\khffecc.dll
C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\ljjgede.dll
C:\WINDOWS\system32\ljjihhe.dll
C:\WINDOWS\system32\ljjkkjk.dll
C:\WINDOWS\system32\mljghif.dll
C:\WINDOWS\system32\mljhffe.dll
C:\WINDOWS\system32\mljijgh.dll
C:\WINDOWS\system32\opnmlmn.dll
C:\WINDOWS\system32\opnmnll.dll
C:\WINDOWS\system32\opnnljk.dll
C:\WINDOWS\system32\pmnkhfe.dll
C:\WINDOWS\system32\pmnmnkj.dll
C:\WINDOWS\system32\qomkhhh.dll
C:\WINDOWS\system32\rqrpooo.dll
C:\WINDOWS\system32\rqrrrrp.dll
C:\WINDOWS\system32\ssqpnli.dll
C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqqrrq.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\tuvtust.dll
C:\WINDOWS\system32\tuvutqq.dll
C:\WINDOWS\system32\tuvuvsq.dll
C:\WINDOWS\system32\tuvuvsr.dll
C:\WINDOWS\system32\tuvwuur.dll
C:\WINDOWS\system32\urqpnkk.dll
C:\WINDOWS\system32\urqrrpn.dll
C:\WINDOWS\system32\vjgnctpn.dll
C:\WINDOWS\system32\vtutusq.dll
C:\WINDOWS\system32\wvussrq.dll
C:\WINDOWS\system32\wvustut.dll
C:\WINDOWS\system32\wvutstt.dll
C:\WINDOWS\system32\wvuvwtr.dll
C:\WINDOWS\system32\xxyabaa.dll
C:\WINDOWS\system32\yayvwus.dll
C:\WINDOWS\system32\yayxvvt.dll
C:\WINDOWS\system32\iyaohcmv.exe
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqqpp.dll
C:\WINDOWS\system32\awtqqpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrrpq.dll
C:\WINDOWS\system32\awtrrpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrrrp.dll
C:\WINDOWS\system32\awtrrrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtrssp.dll
C:\WINDOWS\system32\awtrssp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtuuvu.dll
C:\WINDOWS\system32\awtuuvu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxuvut.dll
C:\WINDOWS\system32\byxuvut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvwxv.dll
C:\WINDOWS\system32\byxvwxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwvvs.dll
C:\WINDOWS\system32\byxwvvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxwuss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxyaxy.dll
C:\WINDOWS\system32\cbxyaxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcawww.dll
C:\WINDOWS\system32\ddcawww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccbbx.dll
C:\WINDOWS\system32\ddccbbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdaxu.dll
C:\WINDOWS\system32\ddcdaxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdbba.dll
C:\WINDOWS\system32\ddcdbba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdebx.dll
C:\WINDOWS\system32\ddcdebx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcaayv.dll
C:\WINDOWS\system32\efcaayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcywxw.dll
C:\WINDOWS\system32\efcywxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccbxxx.dll
C:\WINDOWS\system32\fccbxxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcccyvt.dll
C:\WINDOWS\system32\fcccyvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcdba.dll
C:\WINDOWS\system32\gebcdba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxvtt.dll
C:\WINDOWS\system32\gebxvtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxvwx.dll
C:\WINDOWS\system32\gebxvwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggdabc.dll
C:\WINDOWS\system32\hggdabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggebcy.dll
C:\WINDOWS\system32\hggebcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgggefc.dll
C:\WINDOWS\system32\hgggefc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iifccdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiffeec.dll
C:\WINDOWS\system32\iiffeec.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgedd.dll
C:\WINDOWS\system32\iifgedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifghgf.dll
C:\WINDOWS\system32\iifghgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfdaxv.dll
C:\WINDOWS\system32\khfdaxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffecc.dll
C:\WINDOWS\system32\khffecc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\khfgggg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgede.dll
C:\WINDOWS\system32\ljjgede.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjihhe.dll
C:\WINDOWS\system32\ljjihhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjkkjk.dll
C:\WINDOWS\system32\ljjkkjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljghif.dll
C:\WINDOWS\system32\mljghif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhffe.dll
C:\WINDOWS\system32\mljhffe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljijgh.dll
C:\WINDOWS\system32\mljijgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmlmn.dll
C:\WINDOWS\system32\opnmlmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmnll.dll
C:\WINDOWS\system32\opnmnll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnljk.dll
C:\WINDOWS\system32\opnnljk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkhfe.dll
C:\WINDOWS\system32\pmnkhfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnkj.dll
C:\WINDOWS\system32\pmnmnkj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkhhh.dll
C:\WINDOWS\system32\qomkhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpooo.dll
C:\WINDOWS\system32\rqrpooo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrrrp.dll
C:\WINDOWS\system32\rqrrrrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpnli.dll
C:\WINDOWS\system32\ssqpnli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqqomn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqrrq.dll
C:\WINDOWS\system32\ssqqrrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvtust.dll
C:\WINDOWS\system32\tuvtust.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvutqq.dll
C:\WINDOWS\system32\tuvutqq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvsq.dll
C:\WINDOWS\system32\tuvuvsq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvsr.dll
C:\WINDOWS\system32\tuvuvsr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwuur.dll
C:\WINDOWS\system32\tuvwuur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqpnkk.dll
C:\WINDOWS\system32\urqpnkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqrrpn.dll
C:\WINDOWS\system32\urqrrpn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjgnctpn.dll
C:\WINDOWS\system32\vjgnctpn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutusq.dll
C:\WINDOWS\system32\vtutusq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvussrq.dll
C:\WINDOWS\system32\wvussrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvustut.dll
C:\WINDOWS\system32\wvustut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvutstt.dll
C:\WINDOWS\system32\wvutstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvwtr.dll
C:\WINDOWS\system32\wvuvwtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyabaa.dll
C:\WINDOWS\system32\xxyabaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayvwus.dll
C:\WINDOWS\system32\yayvwus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayxvvt.dll
C:\WINDOWS\system32\yayxvvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iyaohcmv.exe
C:\WINDOWS\system32\iyaohcmv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xxyyxvu.dll
C:\WINDOWS\system32\xxyyxvu.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 10:35:59, on 06/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {244963CD-A4F6-4D67-AD53-40208917DCFE} - (no file)
O2 - BHO: (no name) - {2565F898-D22A-47BC-AC19-DD742BE8A86E} - (no file)
O2 - BHO: (no name) - {2E905173-2E57-4A28-BF5E-143FDA1393D3} - (no file)
O2 - BHO: (no name) - {3F47C9DA-46EC-4DBC-926C-6754693A0931} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55114F1A-EB8C-4BDE-805A-F08F878B0661} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {68C89C9A-E594-4CB7-AEDD-98D7E1B42552} - (no file)
O2 - BHO: (no name) - {6B827DDD-7D35-4AFA-8D81-713B47D74A88} - (no file)
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {8019DD99-293B-4338-B266-8031D4D5AC13} - (no file)
O2 - BHO: (no name) - {8038F1E3-4D7A-41C6-93D7-928930C1FB3A} - C:\WINDOWS\system32\vtsqo.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C2C55A2D-8329-41A7-A6D4-3B7C9D34440B} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\ogwfanuq.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O20 - Winlogon Notify: cbxuttt - C:\WINDOWS\SYSTEM32\cbxuttt.dll
O20 - Winlogon Notify: DIFx - C:\WINDOWS\
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\
O20 - Winlogon Notify: tuvuvsr - C:\WINDOWS\
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll
O20 - Winlogon Notify: vturq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 6th, 2006, 7:33 am

Hi Grezza! You have been infected again by Vundo. Please try and keep the computer off the internet and avoid using any Peer2Peer programs to download, until we can get the computer cleaned.

Lets continue:

Please go to uploadmalware.com

Put your username in the box, and post a link to this topic.

In the File(s) To Submit: box 1, copy and past the following:
C:\WINDOWS\SYSTEM32\cbxuttt.dll

Click on Send File and close the window
____________________________

Next, we need to DISABLE some programs as they can interfere with the fix:

Spyware Doctor!
  • Open Spyware Doctor
  • Click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".
  • Exit the program.
Spybots TeaTimer!
  • Run Spybot Search & Destroy
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Exit SpyBot
We will enable these once we have finished the cleanup process!
____________________________

Lets run VundoFix once more to remove the present Vundo infection.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next post

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

____________________________

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {244963CD-A4F6-4D67-AD53-40208917DCFE} - (no file)
O2 - BHO: (no name) - {2565F898-D22A-47BC-AC19-DD742BE8A86E} - (no file)
O2 - BHO: (no name) - {2E905173-2E57-4A28-BF5E-143FDA1393D3} - (no file)
O2 - BHO: (no name) - {3F47C9DA-46EC-4DBC-926C-6754693A0931} - (no file)
O2 - BHO: (no name) - {55114F1A-EB8C-4BDE-805A-F08F878B0661} - (no file)
O2 - BHO: (no name) - {68C89C9A-E594-4CB7-AEDD-98D7E1B42552} - (no file)
O2 - BHO: (no name) - {6B827DDD-7D35-4AFA-8D81-713B47D74A88} - (no file)
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {8019DD99-293B-4338-B266-8031D4D5AC13} - (no file)
O2 - BHO: (no name) - {8038F1E3-4D7A-41C6-93D7-928930C1FB3A} - C:\WINDOWS\system32\vtsqo.dll
O2 - BHO: (no name) - {C2C55A2D-8329-41A7-A6D4-3B7C9D34440B} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\ogwfanuq.dll

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl29bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} -

O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O20 - Winlogon Notify: cbxuttt - C:\WINDOWS\SYSTEM32\cbxuttt.dll
O20 - Winlogon Notify: DIFx - C:\WINDOWS\
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\
O20 - Winlogon Notify: tuvuvsr - C:\WINDOWS\
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll
O20 - Winlogon Notify: vturq - C:\WINDOWS\

O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
____________________________

Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\SYSTEM32\cbxuttt.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!
____________________________

Please post the following:

1) VundoFix log
2) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 6th, 2006, 8:28 am

Sorry about that, I'll keep off it.
Here are the logs:

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Java version is 1.5.0.3

Scan started at 11:40:54 06/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 12:25:42, on 06/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\atapid.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McLogManagerService - Unknown owner - (no file)
O23 - Service: mcmispupdmgr - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: McODS - Unknown owner - (no file)
O23 - Service: mcpromgr - Unknown owner - (no file)
O23 - Service: McProxy - Unknown owner - (no file)
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: McSysmon - Unknown owner - (no file)
O23 - Service: mctskshd.exe - Unknown owner - (no file)
O23 - Service: mcusrmgr - Unknown owner - (no file)
O23 - Service: Windows CDROM Drivers (Microsoft Windows Atapi Drivers) - Unknown owner - C:\WINDOWS\atapid.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: MpfService - McAfee, Inc. - (no file)
O23 - Service: MPS9 - McAfee, Inc. - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 6th, 2006, 3:13 pm

Hi Grezza! Thanks for help and co-operation. :)

You still have a nasty infection, that as mentioned in my very first post, can allow an intruder to steal your information, and take over your computer. With your help, SDFix is in the process of getting updated, and when it is we will need to run it again. Until then, the computer should stay off the internet. :)

I will post back soon with further instructions.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Trogan » November 8th, 2006, 3:30 am

Hi Greeza! SDFix has been updated, so we will need to run it again a bit later. Fo now, can you do the following please...

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.
@echo off
sc stop McLogManagerService
sc delete McLogManagerService
sc stop mcmispupdmgr
sc delete mcmispupdmgr
sc stop McNASvc
sc delete McNASvc
sc stop McODS
sc delete McODS
sc stop mcpromgr
sc delete mcpromgr
sc stop McProxy
sc delete McProxy
sc stop "McRedirector McShield"
sc delete "McRedirector McShield"
sc stop McSysmon
sc delete McSysmon
sc stop mctskshd.exe
sc delete mctskshd.exe
sc stop mcusrmgr
sc delete mcusrmgr
sc stop MpfService
sc delete MpfService
sc stop MPS9 - McAfee, Inc
sc delete MPS9 - McAfee, Inc
exit

Double click FixServices.bat. A window will open and close. This is normal.
__________________________

We're going to run SDFix now. Before we do, make sure you delete the current version of SDFix if you still have it. Lets start the fix:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware