Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New HJT Log....Please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New HJT Log....Please help

Unread postby kimc » May 15th, 2007, 3:12 pm

Thanks for any suggestions to fix my problem. My problem started on 5/10/07. A co-worker heard my computer talking. This was th first sign of a problem. Then the pop-ups started.

I ran ad-aware, windows defender, symantec corporate and spybot. If anything my problem has worsened. It's like the little buggers know 'm getting close :x



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:10:01 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\RMClient\PMCTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Linda\HiJackThis_v2.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\tmp1.tmp.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: imesmod - C:\WINDOWS\SYSTEM32\imesmod.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7563 bytes
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm
Advertisement
Register to Remove

Unread postby silver » May 16th, 2007, 12:32 am

Hello kimc,

My name is silver and I'm currently looking over your log. Please hold on while I research a fix for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby silver » May 16th, 2007, 8:14 am

Hi kimc,

Firstly, I have some questions:

Is this a home machine or a work computer? In the case of a work machine, I also need to ask if it's OK to fix the machine - in many organizations the IT Department are the only people authorized to make system changes - can you confirm this for me?

Could you also confirm whether you have administrator rights on this machine - otherwise the fixes we need to do won't work. If you're not sure, open Control Panel->User Accounts, under your logon name it will say either Computer administrator or Limited account - let me know which one it is.

If this machine is on a network with other computers connected, it's possible that they could also be infected. Please let me know about this in your next response.

You have a program installed on your computer called GoToMyPC which is a remote access application. If this is a work machine, this may have been installed by the IT Department to allow remote access to this computer. Do you know anything about this program and did you knowingly install it?

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something from running. While this is normally OK, it is possible that you have disabled something that will affect how we clean your machine. Please don't change anything in MSConfig yet, these instructions will produce a report of what programs are currently disabled so I can see the entries without requiring any changes:

Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.
regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "mslook.bat" (you MUST include the quotes)
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

Next please download and install HijackThis version 1.991, the version you have is still a beta (testing) version and at this time is unproven, so we need to use the latest full release:

Download the latest HJTsetup.exe from this link:
http://downloads.malwareremoval.com/HJTsetup.exe

Once it has downloaded, please open Control Panel->Add/Remove Programs and remove HijackThis 2.0.0. Then remove the program file by navigating to the C:\Linda folder and deleting HiJackThis_v2.exe

Double-click on HJTsetup.exe to start installation
By default it will install to C:\Program Files\HijackThis
Continue to click Next in the setup dialog boxes until you are asked which additional icons you would like
Put a check by Create a desktop icon then click Next again.
Press Install and then Finish and it will automatically launch HijackThis.

Once complete, please post the mslook.bat output along with a new HijackThis log and let me know the answers to the questions at the top of this post.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 16th, 2007, 1:21 pm

Hi silver,

Thanks so much for helping out with this. I've answered your questions and followed your instructions. Let me know if you need anything else from me.

Yes, this is an office computer. We are an office of 4 people and handle our own IT problems inhouse.

Yes, I have administrator rights on this machine.

We checked the 2 other computers and both seem to be working fine.

GoToMyPC is installed on all the machines in the office.



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindowsService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pmklli"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\pmklli.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002

Logfile of HijackThis v1.99.1
Scan saved at 1:16:26 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RMClient\PMCTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\AnyTime Deluxe\Atw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp49.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\awtrqo.dll",realset
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: imesmod - C:\WINDOWS\SYSTEM32\imesmod.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 17th, 2007, 6:48 am

Hi kimc,

Thank you for the information. We'll now get to work on cleaning this machine, but with regard to the other computers on your network, could you please do full virus scans (if you haven't done already) and then use Windows Update to make sure they are fully up to date with security patches. If anything is detected then please let me know. This is important to make sure this machine isn't re-infected during the cleaning process.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A log file will be created at C:\vundofix.txt, please post the contents of this in your next response.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Then, please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it.
When it is done there will be a file called awf.txt on your desktop, and it will be open in Notepad.
Please post the contents of that file in your next response.

Once complete, please post the Vundofix log, the FindAWF log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 18th, 2007, 8:46 am

Hi silver,

We scanned all the other computers (all clean) and security updates are current.

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 8:19:34 AM 5/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MI558C~1\BAK

06/03/2004 04:51 AM 172,032 type32.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

06/03/2004 04:50 AM 204,800 point32.exe
1 File(s) 204,800 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 AM 15,360 ctfmon.exe
06/10/2004 11:15 PM 83,968 nvraidservice.exe
2 File(s) 99,328 bytes

Directory of C:\PROGRA~1\CITRIX\GOTOMYPC\BAK

05/12/2007 11:37 AM 955 g2ldr.log
01/12/2007 06:45 PM 249,904 g2svc.exe
2 File(s) 250,859 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

07/30/2002 11:35 AM 77,824 vptray.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\TK8\TK8BAC~1\BAK

05/15/2007 09:14 AM 9,007 gridsettings.ini
05/15/2007 09:14 AM 1,322 gridsettings2.ini
05/15/2007 09:14 AM 66,272 tk8backup.elf
05/03/2005 12:45 AM 5,558,272 tk8backup.exe
05/15/2007 09:14 AM 292 tk8backup.ini
05/15/2007 09:14 AM 10,233 Toolbar.ini
6 File(s) 5,645,398 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK

01/13/2003 02:05 PM 69,632 EngUtil.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPDESK~1\TOOLBOX\BAK

09/11/2003 12:32 AM 290,816 HPWITBX.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

12/15/2006 04:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\AUDIOC~1\BAK

01/09/2003 09:21 AM 253,952 RxMon.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK

01/13/2003 10:19 AM 757,760 DrgToDsc.exe
1 File(s) 757,760 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
244224 Jun 10 2004 "C:\WINDOWS\system32\NvRaidMan.exe"
83968 Jun 10 2004 "C:\WINDOWS\system32\bak\nvraidservice.exe"
496 May 18 2007 "C:\Program Files\Citrix\GoToMyPC\g2ldr.log"
955 May 12 2007 "C:\Program Files\Citrix\GoToMyPC\bak\g2ldr.log"
888 May 14 2007 "C:\Documents and Settings\Linda Nicholas\Local Settings\Temp\{58f4d4fd-1814-4068-b316-c28fc776c6dd}\g2ldr.log"
249904 Jan 12 2007 "C:\Program Files\Citrix\GoToMyPC\g2svc.exe"
249904 Jan 12 2007 "C:\Program Files\Citrix\GoToMyPC\bak\g2svc.exe"
77824 Jul 30 2002 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
9007 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\gridsettings.ini"
1322 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\gridsettings2.ini"
66272 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.elf"
5461296 Apr 30 2007 "C:\Program Files\TK8\TK8 Backup\tk8backup.exe"
5558272 May 3 2005 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.exe"
2351 Apr 11 2007 "C:\Program Files\TK8\TK8 Backup\tk8backup.ini"
292 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.ini"
2562 May 18 2007 "C:\Documents and Settings\Linda Nicholas\Application Data\TK8 Software\TK8 Backup\TK8 Backup Program Options.ini"
10233 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\Toolbar.ini"
69632 Jan 13 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
290816 Sep 11 2003 "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\bak\HPWITBX.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
32881 May 10 2006 "C:\Program Files\Sage Software\Peachtree\PeachJava\JRE\bin\jusched.exe"
253952 Jan 9 2003 "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe"
757760 Jan 13 2003 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report



Logfile of HijackThis v1.99.1
Scan saved at 8:41:03 AM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RMClient\PMCTray.exe
C:\Program Files\TK8\TK8 Backup\Backup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp5C.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\awtrqo.dll",realset
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: imesmod - C:\WINDOWS\SYSTEM32\imesmod.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 19th, 2007, 7:08 am

Hi kimc,

I note that MSConfig has been used to disable a startup program called WindowsService, did you do this yourself? This entry is malware and we will remove it directly from the registry so please do not use MSConfig until we have finished cleaning.

Now we need to use Vundofix once more:
  • Double-click VundoFix.exe to run it.
  • Right-click the white box in the middle and select Add more files?
  • Copy the following paths into the boxes:
    C:\WINDOWS\system32\tmp49.tmp.dll
    C:\WINDOWS\system32\imesmod.dll
    C:\WINDOWS\system32\tmp5C.tmp.dll
  • Then press Add Files, Close Window, right-click and select Add more files? again, then copy these paths into the boxes:
    C:\WINDOWS\awtrqo.dll
    C:\WINDOWS\pmklli.dll
  • Then press Add Files, Close Window and then Remove Vundo
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Once your computer has rebooted:
  • Download DelDomains.inf to your Desktop
  • Right-click DelDomains.inf and choose Install
  • Note: if you use SpywareBlaster, IE-SPYAD, and/or Spybot S&D you will need to re-immunize after this
  • Download ResetProtocolDefaults.reg to your Desktop
  • Right-clickResetProtocolDefaults.reg, choose Merge and OK the prompt
Copy/paste the following quote box into a new Notepad (not wordpad) document. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.
if exist "C:\Program Files\Microsoft IntelliType Pro\type32.exe" del /q "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
copy /y "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe" "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

if exist "C:\Program Files\Microsoft IntelliPoint\point32.exe" del /q "C:\Program Files\Microsoft IntelliPoint\point32.exe"
copy /y "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe" "C:\Program Files\Microsoft IntelliPoint\point32.exe"

if exist "C:\WINDOWS\system32\nvraidservice.exe" del /q "C:\WINDOWS\system32\nvraidservice.exe"
copy /y "C:\WINDOWS\system32\bak\nvraidservice.exe" "C:\WINDOWS\system32\nvraidservice.exe"

if exist "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" del /q "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
copy /y "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe" "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"

if exist "C:\Program Files\TK8\TK8 Backup\gridsettings.ini" del /q "C:\Program Files\TK8\TK8 Backup\gridsettings.ini"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\gridsettings.ini" "C:\Program Files\TK8\TK8 Backup\gridsettings.ini"

if exist "C:\Program Files\TK8\TK8 Backup\gridsettings2.ini" del /q "C:\Program Files\TK8\TK8 Backup\gridsettings2.ini"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\gridsettings2.ini" "C:\Program Files\TK8\TK8 Backup\gridsettings2.ini"

if exist "C:\Program Files\TK8\TK8 Backup\tk8backup.elf" del /q "C:\Program Files\TK8\TK8 Backup\tk8backup.elf"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.elf" "C:\Program Files\TK8\TK8 Backup\tk8backup.elf"

if exist "C:\Program Files\TK8\TK8 Backup\Toolbar.ini" del /q "C:\Program Files\TK8\TK8 Backup\Toolbar.ini"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\Toolbar.ini" "C:\Program Files\TK8\TK8 Backup\Toolbar.ini"

if exist "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" del /q "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
copy /y "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe" "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

if exist "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe" del /q "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe"
copy /y "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\bak\HPWITBX.exe" "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe"

if exist "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

if exist "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" del /q "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
copy /y "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe" "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

if exist "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" del /q "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
copy /y "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe" "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

if exist "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" del /q "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
copy /y "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

if exist "C:\Program Files\Citrix\GoToMyPC\g2ldr.log" del /q "C:\Program Files\Citrix\GoToMyPC\g2ldr.log"
copy /y "C:\Program Files\Citrix\GoToMyPC\bak\g2ldr.log" "C:\Program Files\Citrix\GoToMyPC\g2ldr.log"

if exist "C:\Program Files\TK8\TK8 Backup\tk8backup.exe" del /q "C:\Program Files\TK8\TK8 Backup\tk8backup.exe"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.exe" "C:\Program Files\TK8\TK8 Backup\tk8backup.exe"

if exist "C:\Program Files\TK8\TK8 Backup\tk8backup.ini" del /q "C:\Program Files\TK8\TK8 Backup\tk8backup.ini"
copy /y "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.ini" "C:\Program Files\TK8\TK8 Backup\tk8backup.ini"
del /q "C:\WINDOWS\system32\lsasss.exe"

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "awf.bat" (you MUST include the quotes)

Now, reboot your computer in Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8
A menu should appear, use the arrow keys to select Safe Mode and press enter

Locate awf.bat on your Desktop and double-click it.

Now reboot your computer normally and run FindAWF once more to create a new log.

When complete, please post the Vundofix log, the new FindAWF log along with a new HijackThis log and let me know if you had any trouble with the instructions.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 19th, 2007, 1:34 pm

No I didn't disable the startup program called WindowsService.

I tried rebotting 3 times with restart and F8. I had to finally go into msconfig and selected safe boot from the BOOT.INI tab.

The new logs are...

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 8:19:34 AM 5/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:55:20 PM 5/19/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\imesmod.dll
C:\WINDOWS\system32\imesmod.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp49.tmp.dll
C:\WINDOWS\system32\tmp49.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp5C.tmp.dll
C:\WINDOWS\system32\tmp5C.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MI558C~1\BAK

06/03/2004 04:51 AM 172,032 type32.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

06/03/2004 04:50 AM 204,800 point32.exe
1 File(s) 204,800 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 AM 15,360 ctfmon.exe
06/10/2004 11:15 PM 83,968 nvraidservice.exe
2 File(s) 99,328 bytes

Directory of C:\PROGRA~1\CITRIX\GOTOMYPC\BAK

05/12/2007 11:37 AM 955 g2ldr.log
01/12/2007 06:45 PM 249,904 g2svc.exe
2 File(s) 250,859 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

07/30/2002 11:35 AM 77,824 vptray.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\TK8\TK8BAC~1\BAK

05/15/2007 09:14 AM 9,007 gridsettings.ini
05/15/2007 09:14 AM 1,322 gridsettings2.ini
05/15/2007 09:14 AM 66,272 tk8backup.elf
05/03/2005 12:45 AM 5,558,272 tk8backup.exe
05/15/2007 09:14 AM 292 tk8backup.ini
05/15/2007 09:14 AM 10,233 Toolbar.ini
6 File(s) 5,645,398 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK

01/13/2003 02:05 PM 69,632 EngUtil.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPDESK~1\TOOLBOX\BAK

09/11/2003 12:32 AM 290,816 HPWITBX.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

12/15/2006 04:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\AUDIOC~1\BAK

01/09/2003 09:21 AM 253,952 RxMon.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK

01/13/2003 10:19 AM 757,760 DrgToDsc.exe
1 File(s) 757,760 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
244224 Jun 10 2004 "C:\WINDOWS\system32\NvRaidMan.exe"
83968 Jun 10 2004 "C:\WINDOWS\system32\bak\nvraidservice.exe"
496 May 19 2007 "C:\Program Files\Citrix\GoToMyPC\g2ldr.log"
955 May 12 2007 "C:\Program Files\Citrix\GoToMyPC\bak\g2ldr.log"
888 May 14 2007 "C:\Documents and Settings\Linda Nicholas\Local Settings\Temp\{58f4d4fd-1814-4068-b316-c28fc776c6dd}\g2ldr.log"
249904 Jan 12 2007 "C:\Program Files\Citrix\GoToMyPC\g2svc.exe"
249904 Jan 12 2007 "C:\Program Files\Citrix\GoToMyPC\bak\g2svc.exe"
77824 Jul 30 2002 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
77824 Jul 30 2002 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
9007 May 15 2007 "C:\Program Files\TK8\TK8 Backup\gridsettings.ini"
9007 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\gridsettings.ini"
1322 May 15 2007 "C:\Program Files\TK8\TK8 Backup\gridsettings2.ini"
1322 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\gridsettings2.ini"
66272 May 15 2007 "C:\Program Files\TK8\TK8 Backup\tk8backup.elf"
66272 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.elf"
5558272 May 3 2005 "C:\Program Files\TK8\TK8 Backup\tk8backup.exe"
5558272 May 3 2005 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.exe"
2287 May 19 2007 "C:\Program Files\TK8\TK8 Backup\tk8backup.ini"
292 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\tk8backup.ini"
2760 May 19 2007 "C:\Documents and Settings\Linda Nicholas\Application Data\TK8 Software\TK8 Backup\TK8 Backup Program Options.ini"
2760 May 18 2007 "C:\Documents and Settings\LocalService\Application Data\TK8 Software\TK8 Backup\TK8 Backup Program Options.ini"
2760 May 18 2007 "C:\Documents and Settings\NetworkService\Application Data\TK8 Software\TK8 Backup\TK8 Backup Program Options.ini"
10233 May 15 2007 "C:\Program Files\TK8\TK8 Backup\Toolbar.ini"
10233 May 15 2007 "C:\Program Files\TK8\TK8 Backup\bak\Toolbar.ini"
69632 Jan 13 2003 "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
69632 Jan 13 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
290816 Sep 11 2003 "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe"
290816 Sep 11 2003 "C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\bak\HPWITBX.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
32881 May 10 2006 "C:\Program Files\Sage Software\Peachtree\PeachJava\JRE\bin\jusched.exe"
253952 Jan 9 2003 "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
253952 Jan 9 2003 "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe"
757760 Jan 13 2003 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
757760 Jan 13 2003 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report



Logfile of HijackThis v1.99.1
Scan saved at 1:33:23 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RMClient\PMCTray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp17.tmp.dll
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\kheefg.dll",realset
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TK8 Backup Service (TK8BackupS) - Unknown owner - C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 20th, 2007, 6:12 am

Hi kimc,

Just to let you know, using the Safe Boot option in MSConfig on an infected machine can, under certain circumstances, render it unbootable. Because of this danger, please don't use MSConfig until we have finished cleaning.

Please print/save a copy of these instructions because we will be using Safe Mode, during which time you won't have access to the internet.

The Vundo infection is still there but hopefully this time we'll get it:
  • Double-click VundoFix.exe to run it once more
  • Right-click the white box in the middle and select Add more files?
  • Copy the following paths into the boxes:
    C:\WINDOWS\system32\tmp17.tmp.dll
    C:\WINDOWS\kheefg.dll
  • Then press Add Files, Close Window and then Remove Vundo
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Then click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Press OK and Yes to confirm

Next, download, install, and update AVG Anti-Spyware 7.5
Download the installer from this page:
http://www.ewido.net/en/download/
  • Save the installer to desktop
  • Double click the installer, select your language, and then select OK
  • Click NEXT->Do or don't read the "User License Agreement"
    Select I Agree->NEXT->INSTALL
  • AVG will now install and afterwards click FINISH
  • Click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes the status bar at the bottom will display Update successful
  • Close AVG Anti-Spyware. Do not run a scan yet.
Reboot your computer into Safe Mode
To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads.
Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account
Note: If you try booting into Safe Mode several times and can't do it then please stop, post the Vundofix log and a new HijackThis log, and let me know what happened.

Once in safe mode:
  • Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the Settings tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and Un-check Only if Threats are found
  • Click back to the Scan tab and then click on Complete System Scan.
  • This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side.
  • Then, next to Set all elements to: click on Recommended action and select Quarantine from the list
  • Click the Apply all actions button. AVG Anti-Spyware 7.5 will display All actions have been applied on the right hand side.
  • Click on Save Report, then Save Report As. This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Now reboot your computer normally

Once complete, please post the Vundofix log, the AVG Antispyware log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 20th, 2007, 3:08 pm

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 8:19:34 AM 5/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:55:20 PM 5/19/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\imesmod.dll
C:\WINDOWS\system32\imesmod.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp49.tmp.dll
C:\WINDOWS\system32\tmp49.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp5C.tmp.dll
C:\WINDOWS\system32\tmp5C.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 2:26:01 PM 5/20/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\kheefg.dll
C:\WINDOWS\kheefg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp17.tmp.dll
C:\WINDOWS\system32\tmp17.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:51:04 PM 5/20/2007

+ Scan result:



C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@pan.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@prizeamerica.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@try.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Linda Nicholas\Cookies\linda_nicholas@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 3:05:11 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RMClient\PMCTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp17.tmp.dll (file missing)
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\kheefg.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TK8 Backup Service (TK8BackupS) - Unknown owner - C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 21st, 2007, 5:32 am

Hi kimc,

OK things are looking better but we have a few more things to do:

Temporarily disable Windows Defender:
Right-click on the Windows Defender icon in the system tray (the grey castle), select Exit and OK the prompt. Windows Defender will automatically start next time you reboot.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines (if present):
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp17.tmp.dll (file missing)
O2 - BHO: (no name) - {b589a1b3-9cae-44e7-88f2-30566dd2b7f2} - C:\WINDOWS\system32\imesmod.dll (file missing)
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\kheefg.dll",realset


Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Backup Your Registry with ERUNT:
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer: use the setup program to install ERUNT on your computer
  • For the zipped version: Unzip all the files into a folder of your choice, such as C:\ERUNT

Run ERUNT from the start menu, or double-click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Then, open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Change the Save As Type to All Files and save it as fix.reg to your Desktop.

Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindowsService]



Locate fix.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click Yes.

Download OTMoveIt to your desktop. and double-click the program to start it.
Select the contents of the below file list, then press Ctrl+C to copy it to the clipboard
In OTMoveIt, click in the left-hand pane and press Ctrl+V to paste the file-list into the program
Then, press MoveIt!
Copy the Results output and paste it into a new notepad file so you can post it in your next response. Do this by clicking in the right-hand pane, press Ctrl-A then Ctrl-C to select all and copy. Then open Notepad, press Ctrl-V to paste in the text, and save this text file to your desktop.

OTMoveIt file list:
Code: Select all
C:\Program Files\Microsoft IntelliType Pro\bak
C:\Program Files\Microsoft IntelliPoint\bak
C:\WINDOWS\system32\bak
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak
C:\Program Files\TK8\TK8 Backup\bak
C:\Program Files\Common Files\Roxio Shared\System\bak
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\bak
C:\Program Files\Java\jre1.5.0_11\bin\bak
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Citrix\GoToMyPC\bak
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\awtrqo.dll
C:\WINDOWS\pmklli.dll


Now, reboot your computer normally.

Once complete, please post the OTMoveIt log and a new HijackThis log, and let me know how your computer is running.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 21st, 2007, 10:37 am

So far so good. Here are the logs of todays clean.

C:\Program Files\Microsoft IntelliType Pro\bak moved successfully.
C:\Program Files\Microsoft IntelliPoint\bak moved successfully.
C:\WINDOWS\system32\bak moved successfully.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak moved successfully.
C:\Program Files\TK8\TK8 Backup\bak moved successfully.
C:\Program Files\Common Files\Roxio Shared\System\bak moved successfully.
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\bak moved successfully.
C:\Program Files\Java\jre1.5.0_11\bin\bak moved successfully.
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak moved successfully.
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak moved successfully.
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak moved successfully.
C:\Program Files\Citrix\GoToMyPC\bak moved successfully.
File/Folder C:\WINDOWS\system32\lsasss.exe not found.
File/Folder C:\WINDOWS\awtrqo.dll not found.
File/Folder C:\WINDOWS\pmklli.dll not found.

Created on 05/21/2007 10:30:36



Logfile of HijackThis v1.99.1
Scan saved at 10:34:32 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RMClient\PMCTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TK8 Backup Service (TK8BackupS) - Unknown owner - C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 21st, 2007, 8:46 pm

Hi kimc,

OK that looks great we're almost done.

Temporarily disable Windows Defender:
Right-click on the Windows Defender icon in the system tray (the grey castle), select Exit and OK the prompt. Windows Defender will automatically start next time you reboot.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following line:
O20 - AppInit_DLLs:

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Clean up with OTMoveIt:
  • Open OTMoveIt once more
  • Close all other programs as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete mslook.bat, DelDomains.inf, ResetProtocolDefaults.reg, awf.bat, FindAWF.exe and fix.reg from your Desktop.

Your Java is outdated and is now a security risk
Go to Start » Control Panel » Add/Remove Programs
Search for all previous installed versions of Java. (J2SE Runtime Environment.... )
(It should have this icon next to it: Image)
Click that entry and then click on the Change/Remove button and follow the instructions to remove Java.
Repeat to remove all versions of Java.
Download and install the newest version of Java Runtime Environment (JRE), from here:
http://java.sun.com/javase/downloads/index.jsp

Once complete, please post a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby kimc » May 22nd, 2007, 8:32 am

Thanks so much. If I need to do anything else let me know.

Logfile of HijackThis v1.99.1
Scan saved at 8:31:30 AM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RMClient\PMCTray.exe
C:\Program Files\TK8\TK8 Backup\tk8backup.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [TK8 Backup] C:\Program Files\TK8\TK8 Backup\tk8backup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9097983078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8819124953
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic.view22.com/app/view22RTE.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TK8 Backup Service (TK8BackupS) - Unknown owner - C:\Program Files\TK8\TK8 Backup\TK8BackupService.exe
kimc
Active Member
 
Posts: 7
Joined: May 15th, 2007, 2:45 pm

Unread postby silver » May 22nd, 2007, 8:03 pm

Hi kimc,

I'm glad to say that your log looks good and I think your machine is now clean :D

Here are some tips to help prevent reinfection:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule
Also, check that your antivirus and antispyware programs also automatically update as often as practical.

Consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you install firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, I recommend Sunbelt Software's Kerio available from here:
http://www.sunbelt-software.com/Kerio

IESPYADS helps protect you from malicious websites by placing a list of known bad websites in Internet Explorer's Restricted Zone. This Zone limits the capabilities of these websites including preventing them from installing software. This will compliment your security software and I recommend you install it:
http://www.spywarewarrior.com/uiuc/resource.htm

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about preventing infection:
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know you have read this, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 19 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware