Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32:VB StatC Trojan. Need help with removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32:VB StatC Trojan. Need help with removal

Unread postby WarrenChernoff » June 9th, 2007, 7:25 pm

Need help with Tojan removal



Logfile of HijackThis v1.99.1
Scan saved at 4:24:23 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Downloads\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {47057EFC-2DD2-475A-A41B-BF74B05A5319} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {B2DEC5DB-BB0B-44DA-9961-B8C0600761C8} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gxiiquae.dll
O2 - BHO: (no name) - {E5225210-F293-40FE-BB2F-D5A3C7F13C47} - C:\WINDOWS\system32\wvuvstt.dll (file missing)
O2 - BHO: (no name) - {F5E924A5-3D05-4652-BB2F-EF3478A393F6} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\dxiniiui.dll",realset
O4 - HKLM\..\Run: [j8241932] rundll32 C:\WINDOWS\system32\j8241932.dll sook
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC56EDF3-E542-4036-9160-0511D7211541}: NameServer = 64.59.168.13,64.59.168.15
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware2005\cwproto.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm
Advertisement
Register to Remove

Unread postby tim s » June 9th, 2007, 11:38 pm

Hello WarrenChernoff,

Welcome to the MalWare Removal forums! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:
  1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!
  2. Understand that cleaning your computer can sometimes take multiple passes/posts,
    and it's important to follow the steps as listed including re-running scans as listed
  3. Please reply to this thread, do not start another.


If you can do those three things, everything should go smoothly


---------------------------------------------------------------------------

Your HJT log indicates you have 2 Anti-Virus programs

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two or more anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. They can conflict with each other which leaves you open to infection.

avast! Antivirus and norton

If you have more than one antivirus program installed, you must narrow it down to only one. Please choose one that is currently capable of receiving updates of virus definitions. If you have an antivirus program that no longer has an active subscription to antivirus updates, it cannot protect your system from malware.

You must decide which one you want to use and uninstall all others.

If you decide to keep Avast! then you will need to install a firewall to go with it because it does not come with one.
Here are some you can choose from
Only run one firewall program same as antivirus software.

Firewall protection programs: (free for personal home use only available)

Link to one Jetico Personal Firewall

Link to second Comodo Firewall

Link to third ZoneAlarm

-----------------------------------------------------------------------------------

This in next:

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-------------------------------------------------------------------

Next do the following:
1. Download this file - combofix.exe
2. Close all open windows.
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. It is located >> C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings.

-----------------------------------------------------------------------

Please post these in your next reply to this thread using postreply button:
C:\vundofix.txt
C:\ComboFix.txt
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 10th, 2007, 1:57 am

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:28:00 PM 06/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

ComboFix 07-06-09.5 - C:\Documents and Settings\User\My Documents\Downloads\ComboFix.exe
"User" - 2007-06-09 22:45:16 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gxiiquae.dll
C:\WINDOWS\system32\winetn32.dll
C:\WINDOWS\system32\stutv.bak1


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\User\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\User\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-09 22:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 22:24 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Jetico Personal Firewall
2007-06-09 22:20 <DIR> d-------- C:\Program Files\Jetico
2007-06-06 20:00 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 19:58 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-05 19:34 10,752 --a------ C:\WINDOWS\system32\j8241932.dll
2007-06-04 19:05 <DIR> d-------- C:\VundoFix Backups
2007-06-03 14:46 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft
2007-06-03 14:40 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-03 14:40 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-06-03 14:40 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\URSoft
2007-06-03 12:18 <DIR> d-------- C:\Program Files\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\IMSIDesign
2007-06-03 11:44 1,536 --a------ C:\cwainda.exe
2007-06-03 11:18 18,944 --a------ C:\WINDOWS\system32\winepi32(2).dll
2007-06-02 23:14 7,864,320 --a------ C:\DOCUME~1\User\ntuser.dat
2007-06-01 19:19 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 19:19 1,216,512 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-01 19:19 <DIR> d-------- C:\TempDVD
2007-06-01 19:19 <DIR> d-------- C:\Program Files\dvdSanta
2007-06-01 19:19 <DIR> d-------- C:\dvdsanta
2007-06-01 08:02 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-06-01 08:02 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-06-01 08:02 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-06-01 08:02 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-06-01 08:02 <DIR> d-------- C:\Program Files\Cucusoft
2007-06-01 08:02 <DIR> d-------- C:\ConverterOutput
2007-05-31 18:57 <DIR> d-------- C:\Program Files\WebEx
2007-05-31 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sage Software
2007-05-31 18:51 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2007-05-31 18:50 40,448 --------- C:\WINDOWS\system32\dsofile.dll
2007-05-31 18:49 <DIR> d-------- C:\Program Files\Simply Accounting Pro 2007


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 05:16:23 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-10 05:16:22 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-10 05:15:52 -------- d-----w C:\Program Files\Symantec
2007-06-08 03:40:35 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-08 00:55:41 -------- d-----w C:\DOCUME~1\User\APPLIC~1\uTorrent
2007-06-06 01:58:26 -------- d-----w C:\Program Files\Payroll
2007-06-05 02:59:15 -------- d-----w C:\Program Files\NoAdware3
2007-06-03 21:46:39 -------- d-----w C:\Program Files\Lavasoft
2007-06-03 21:45:07 -------- d-----w C:\Program Files\XoftSpy
2007-06-03 20:33:18 -------- d-----w C:\Program Files\TopDownloads_WhenUSave_Installer
2007-06-03 18:19:00 -------- d-----w C:\Program Files\uTorrent
2007-06-03 18:18:59 -------- d-----w C:\Program Files\Mouse
2007-06-03 18:07:50 -------- d-----w C:\Program Files\caseware2005
2007-06-01 01:50:31 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 18:47:08 -------- d-----w C:\Program Files\winsim85
2007-04-23 05:09:54 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-23 05:09:26 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
{1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6}=C:\WINDOWS\system32\vtstu.dll []
{47057EFC-2DD2-475A-A41B-BF74B05A5319}=C:\WINDOWS\system32\jkklj.dll []
{B2DEC5DB-BB0B-44DA-9961-B8C0600761C8}=C:\WINDOWS\system32\vtsqo.dll []
{F5E924A5-3D05-4652-BB2F-EF3478A393F6}=C:\WINDOWS\system32\ssttr.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="C:\Program Files\Mouse\Amoumain.exe" [2003-01-07 18:55]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 18:36]
"CARPService"="carpserv.exe" [2003-01-09 13:42 C:\WINDOWS\system32\carpserv.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"nwiz"="nwiz.exe" [2002-11-18 15:15 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-10 11:29]
"JeticoPFStartup"="C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-18 23:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cacheman"="C:\PROGRA~1\Cacheman\Cacheman.exe" [2002-02-10 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\mljhihf.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]
C:\WINDOWS\wrqewmob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-09 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-10 05:48:34 C:\WINDOWS\tasks\Symantec NetDetect.job
2005-06-13 17:02:32 C:\WINDOWS\tasks\XoftSpy.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 22:49:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 22:51:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 22:51


Logfile of HijackThis v1.99.1
Scan saved at 10:57:08 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Downloads\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {47057EFC-2DD2-475A-A41B-BF74B05A5319} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {B2DEC5DB-BB0B-44DA-9961-B8C0600761C8} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {F5E924A5-3D05-4652-BB2F-EF3478A393F6} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC56EDF3-E542-4036-9160-0511D7211541}: NameServer = 64.59.168.13,64.59.168.15
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware2005\cwproto.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 10th, 2007, 9:11 am

Hello WarrenChernoff,

Thanks for posting logs. I will need to see an uninstall list.

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1.Start HijackThis

Image

2. Click on the Open the Misc tool section button
3. Click on the Misc Tools button

Image

4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save list button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Note: please uncheck word wrap under format in notepad

Post HJT Uninstall list in next reply
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 10th, 2007, 3:47 pm

µTorrent
Ace DivX Player
Ad-Aware SE Professional
Adobe Acrobat 5.0
Adobe Flash Player 9
Audacity 1.0.0
avast! Antivirus
Cacheman 5.11
CaseWare Working Papers 2005
CCleaner (remove only)
CleanUp!
DivX
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDInfoPro
dvdSanta 4.50
ERUNT 1.1j
FinePrint
FLAC Installer 1.1.2a (remove only)
Generic SoftK56 Data Fax Voice CARP
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Internet Explorer Q903235
iWheelWorks V7.40
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Jetico Personal Firewall 1.0
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Expedia Trip Planner 98
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Windows Journal Viewer
Microsophic products - Common Components
Movie Joiner
Mozilla (1.7.13)
MSXML 4.0 SP2 (KB927978)
Nero 6 Enterprise Edition
NoAdware v3.0
NR4
NR4 - 2005
NVIDIA Windows 2000/XP Display Drivers
Outerinfo
Palo Alto Software's Application Manager 8.1
PCI SoftV92 Modem
pdfFactory Pro
Pixia
Practitioners Income Tax Act
ProFile - Uninstall Only
PropertiesPlus (Remove Only)
Public Practice Manual 2005
QBFC2.0CA
QBFC3.0b
QuickTime
RealPlayer
Roxio DVDMAX Player
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Simply Accounting 2003 Pro
Simply Accounting 2005 Pro
Simply Accounting by Sage 2006
Simply Accounting by Sage 2007
Simply Accounting v8.5
SoftK56 Data Fax Voice CARP
SoftV92 Voice Modem with SmartCP
SoundMAX
SpywareBlaster v3.4
SpywareGuard v2.2
Startup Control Panel
SurvTool
T2-2005
T4
T4 - 2005
T4 - 2006
T4 - T5 Common File
T4 - T5 Common File - 2006
T4-T4A-T5 Printer Common Files
T5
T5 - 2005
T5 - 2006
T5013
T5013
T5018
The Rosetta Stone
Total Recorder 6.0
TurboCAD Deluxe 14
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.5
Virtual Professional Library - Folio Views
Virtual Professional Library - Infobase (Download)
WebEx Record and Playback
Winamp (remove only)
WinAVIVideoConverter
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Your Uninstaller! 2006 Version 5
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 10th, 2007, 7:54 pm

Hello WarrenChernoff,

This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware.
NoAdware v3.0
Outerinfo


------------------------------------------------

Add/Remove Programs
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following:

    NoAdware v3.0
    Outerinfo
    LiveReg (Symantec Corporation)
    <<<< part of norton can be removed
    LiveUpdate 2.5 (Symantec Corporation)
You will need to reboot computer to complete uninstall.

------------------------------------------------

Here we are going to clean out cookies and temp files from your computer.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here It will start to download automatically. If ask if you want to download let it. Save to your Desktop.
Note: If you get and Error page from this link.
Try again you will see this message Your download of CCleaner will automatically start in 5 seconds. Click here if it does not do not wait go ahead and click on it.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Follow prompts to install finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
    • On the Windows tab, under Internet Explorer,
      • All Boxes should have a check mark. (You will need to re-enter your passwords at all sites where a cookie is used to recognize you when you visit).
    • On the Windows tab, under Windows Explorer,
      • All Boxes should have a check mark.
    • On the Windows tab, under System,
      • All Boxes should have a check mark.
    • On the Windows tab, under Advanced,
      • NO check marks
  • If you use either the Firefox or Mozilla browsers, the box to put check in for "Cookies" is on the Applications tab, under Firefox/Mozilla. If already checked move to next step.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
  • You will need to reboot here if not ask to do so.
_______________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports. <<< This step very important
    • Under What to scan? - Select Scan every file.
Close AVG Anti-Spyware without running yet.
Now disable (turn off AVG Anti-Spyware)
  • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

______________________________

Now will need to download and install safemode patch for new AVG program to run in safemode. It will not run in safemode without this patch.

Go here and download patch to your desktop and >>> http://fileserver.ewido.net/public.cgi?id=20990

Then double-click on the AVG_Anti-Spyware_7.5.1.36_Safe_Mode_Registry_Patch.reg file icon should look like this Image, that is on your desktop and when it prompts to merge say yes.

After installed move to next step.
------------------------------------------------

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________


Open AVG Anti-Spyware program.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Restart computer back into normal mode.

-----------------------------------------------------------

Post these in next reply:
AVG Anti-Spyware report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 10th, 2007, 11:30 pm

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:18:17 PM 6/10/2007

+ Scan result:



C:\VundoFix Backups\wvutqrp.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\wvuvstt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\User\3.tmp -> Downloader.Agent.brr : Cleaned with backup (quarantined).
C:\cwainda.exe -> Downloader.Tiny.he : Cleaned with backup (quarantined).
C:\WINDOWS\system32\j8241932.dll -> Hijacker.Small.mw : Cleaned with backup (quarantined).
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@ad-flow[1].txt -> TrackingCookie.Ad-flow : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/Advertisingcom.zip/administrator@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/Advertisingcom1.zip/administrator@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/Advertisingcom2.zip/administrator@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/Advertisingcom3.zip/administrator@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/AvenueAInc.zip/administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/AvenueAInc1.zip/administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/BFast.zip/administrator@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www.commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/CoreMetrics.zip/administrator@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@bilbo.counted[2].txt -> TrackingCookie.Counted : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@tuerck.de.counted[2].txt -> TrackingCookie.Counted : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/DoubleClick.zip/administrator@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/FastClick.zip/administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/FastClick1.zip/administrator@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/FastClick2.zip/administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@fortunecity[1].txt -> TrackingCookie.Fortunecity : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@gator[2].txt -> TrackingCookie.Gator : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox.zip/administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox1.zip/administrator@ehg-ontrackdateinternational.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox10.zip/administrator@ehg-sonyny.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox11.zip/administrator@ehg-sonicblue.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox12.zip/administrator@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox13.zip/administrator@w101.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox14.zip/administrator@ehg-micron.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox15.zip/administrator@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox16.zip/administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox17.zip/administrator@ehg-quantumcorp.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox2.zip/administrator@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox3.zip/administrator@ehg-sonicblue.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox4.zip/administrator@ehg-qualcomm.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox5.zip/administrator@ehg.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox6.zip/administrator@hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox7.zip/administrator@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox8.zip/administrator@ehg-intel.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/HitBox9.zip/administrator@ehg-sonyelec.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www.infinite-ads[2].txt -> TrackingCookie.Infinite-ads : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@adserv.internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/MediaPlex.zip/administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www.paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www1.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@www.qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@tribalfusion[3].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@ads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@servedfor.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/ValueClick.zip/administrator@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/ValueClick1.zip/administrator@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@x10[1].txt -> TrackingCookie.X10 : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@x10[2].txt -> TrackingCookie.X10 : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Other\Spybot - Search & Destroy 1.1.exe/Spybot - Search & Destroy 1.1/Recovery/InternetExplorer1.zip/administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-782189750-2106517767-3757435101-500\Dc1.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-782189750-2106517767-3757435101-500\Dc2.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-782189750-2106517767-3757435101-500\Dc3.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\winetn32.dll.vir -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP421\A0071817.dll -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winepi32(2).dll -> Trojan.Dialer.qn : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 8:30:35 PM, on 06/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Downloads\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {47057EFC-2DD2-475A-A41B-BF74B05A5319} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {B2DEC5DB-BB0B-44DA-9961-B8C0600761C8} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {F5E924A5-3D05-4652-BB2F-EF3478A393F6} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC56EDF3-E542-4036-9160-0511D7211541}: NameServer = 64.59.168.13,64.59.168.15
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware2005\cwproto.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 11th, 2007, 12:26 am

Hello WarrenChernoff,

Thanks for posting logs. good work.

I will need to see a new combo log there is more that needs to be done.

Re-run combofix:
  • Close all open windows.
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. It is located >> C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 11th, 2007, 1:07 am

ComboFix 07-06-09.5 - C:\Documents and Settings\User\My Documents\Downloads\ComboFix.exe
"User" - 2007-06-10 21:48:39 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-10 18:17 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-09 22:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 22:24 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Jetico Personal Firewall
2007-06-09 22:20 <DIR> d-------- C:\Program Files\Jetico
2007-06-06 20:00 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 19:58 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-04 19:05 <DIR> d-------- C:\VundoFix Backups
2007-06-03 14:46 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft
2007-06-03 14:40 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-03 14:40 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-06-03 14:40 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\URSoft
2007-06-03 12:18 <DIR> d-------- C:\Program Files\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\IMSIDesign
2007-06-02 23:14 7,864,320 --a------ C:\DOCUME~1\User\ntuser.dat
2007-06-01 19:19 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 19:19 1,216,512 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-01 19:19 <DIR> d-------- C:\TempDVD
2007-06-01 19:19 <DIR> d-------- C:\Program Files\dvdSanta
2007-06-01 19:19 <DIR> d-------- C:\dvdsanta
2007-06-01 08:02 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-06-01 08:02 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-06-01 08:02 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-06-01 08:02 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-06-01 08:02 <DIR> d-------- C:\Program Files\Cucusoft
2007-06-01 08:02 <DIR> d-------- C:\ConverterOutput
2007-05-31 18:57 <DIR> d-------- C:\Program Files\WebEx
2007-05-31 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sage Software
2007-05-31 18:51 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2007-05-31 18:50 40,448 --------- C:\WINDOWS\system32\dsofile.dll
2007-05-31 18:49 <DIR> d-------- C:\Program Files\Simply Accounting Pro 2007


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 01:08:54 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-11 01:06:29 -------- d-----w C:\Program Files\NoAdware3
2007-06-10 05:16:23 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-08 03:40:35 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-08 00:55:41 -------- d-----w C:\DOCUME~1\User\APPLIC~1\uTorrent
2007-06-06 01:58:26 -------- d-----w C:\Program Files\Payroll
2007-06-03 21:46:39 -------- d-----w C:\Program Files\Lavasoft
2007-06-03 21:45:07 -------- d-----w C:\Program Files\XoftSpy
2007-06-03 20:33:18 -------- d-----w C:\Program Files\TopDownloads_WhenUSave_Installer
2007-06-03 18:19:00 -------- d-----w C:\Program Files\uTorrent
2007-06-03 18:18:59 -------- d-----w C:\Program Files\Mouse
2007-06-03 18:07:50 -------- d-----w C:\Program Files\caseware2005
2007-06-01 01:50:31 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 18:47:08 -------- d-----w C:\Program Files\winsim85
2007-04-23 05:09:54 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-23 05:09:26 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
{1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6}=C:\WINDOWS\system32\vtstu.dll []
{47057EFC-2DD2-475A-A41B-BF74B05A5319}=C:\WINDOWS\system32\jkklj.dll []
{B2DEC5DB-BB0B-44DA-9961-B8C0600761C8}=C:\WINDOWS\system32\vtsqo.dll []
{F5E924A5-3D05-4652-BB2F-EF3478A393F6}=C:\WINDOWS\system32\ssttr.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="C:\Program Files\Mouse\Amoumain.exe" [2003-01-07 18:55]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 18:36]
"CARPService"="carpserv.exe" [2003-01-09 13:42 C:\WINDOWS\system32\carpserv.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"nwiz"="nwiz.exe" [2002-11-18 15:15 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-10 11:29]
"JeticoPFStartup"="C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-18 23:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cacheman"="C:\PROGRA~1\Cacheman\Cacheman.exe" [2002-02-10 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\mljhihf.dll" []
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]
C:\WINDOWS\wrqewmob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-09 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2005-06-13 17:02:32 C:\WINDOWS\tasks\XoftSpy.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 21:51:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3996]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 21:52:22
C:\ComboFix-quarantined-files.txt ... 2007-06-10 21:51

--- E O F ---
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 11th, 2007, 6:57 am

Hello WarrenChernoff,

Please do the following:

Open notepad and copy/paste the text in the quotebox below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.

File::
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\mljhihf.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6}=-
{47057EFC-2DD2-475A-A41B-BF74B05A5319}=-
{B2DEC5DB-BB0B-44DA-9961-B8C0600761C8}=-
{F5E924A5-3D05-4652-BB2F-EF3478A393F6}=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"=-



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

----------------------------------------------------------------

Run Panda's ActiveScan from here and perform a full system scan.
NOTE* You must use Internet Explorer for this scan to work.

1. Once you are on the Panda site scroll to the bottom of page and click the "Scan your PC" button NOTE: If you have a popblocker enable you will have to allow popup here.
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes. You may have to reboot here and start back with step 1. I did.)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply with others requested.

----------------------------------------------------------------

Please post in next reply these:
Combofix.txt
Panda's report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 11th, 2007, 10:42 pm

ComboFix 07-06-09.5 - C:\Documents and Settings\User\My Documents\Downloads\ComboFix.exe
"User" - 2007-06-11 17:44:25 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\User\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


2007-06-10 18:17 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-09 22:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 22:24 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Jetico Personal Firewall
2007-06-09 22:20 <DIR> d-------- C:\Program Files\Jetico
2007-06-06 20:00 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 19:58 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-04 19:05 <DIR> d-------- C:\VundoFix Backups
2007-06-03 14:46 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft
2007-06-03 14:40 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-03 14:40 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-06-03 14:40 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\URSoft
2007-06-03 12:18 <DIR> d-------- C:\Program Files\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\IMSIDesign
2007-06-03 12:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\IMSIDesign
2007-06-02 23:14 7,864,320 --a------ C:\DOCUME~1\User\ntuser.dat
2007-06-01 19:19 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-01 19:19 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 19:19 1,216,512 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-01 19:19 <DIR> d-------- C:\TempDVD
2007-06-01 19:19 <DIR> d-------- C:\Program Files\dvdSanta
2007-06-01 19:19 <DIR> d-------- C:\dvdsanta
2007-06-01 08:02 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-06-01 08:02 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-06-01 08:02 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-06-01 08:02 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-06-01 08:02 <DIR> d-------- C:\Program Files\Cucusoft
2007-06-01 08:02 <DIR> d-------- C:\ConverterOutput
2007-05-31 18:57 <DIR> d-------- C:\Program Files\WebEx
2007-05-31 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sage Software
2007-05-31 18:51 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2007-05-31 18:50 40,448 --------- C:\WINDOWS\system32\dsofile.dll
2007-05-31 18:49 <DIR> d-------- C:\Program Files\Simply Accounting Pro 2007


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 01:08:54 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-11 01:06:29 -------- d-----w C:\Program Files\NoAdware3
2007-06-10 05:16:23 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-08 03:40:35 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-08 00:55:41 -------- d-----w C:\DOCUME~1\User\APPLIC~1\uTorrent
2007-06-06 01:58:26 -------- d-----w C:\Program Files\Payroll
2007-06-03 21:46:39 -------- d-----w C:\Program Files\Lavasoft
2007-06-03 21:45:07 -------- d-----w C:\Program Files\XoftSpy
2007-06-03 20:33:18 -------- d-----w C:\Program Files\TopDownloads_WhenUSave_Installer
2007-06-03 18:19:00 -------- d-----w C:\Program Files\uTorrent
2007-06-03 18:18:59 -------- d-----w C:\Program Files\Mouse
2007-06-03 18:07:50 -------- d-----w C:\Program Files\caseware2005
2007-06-01 01:50:31 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 18:47:08 -------- d-----w C:\Program Files\winsim85
2007-04-23 05:09:54 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-23 05:09:26 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
{1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6}=C:\WINDOWS\system32\vtstu.dll []
{47057EFC-2DD2-475A-A41B-BF74B05A5319}=C:\WINDOWS\system32\jkklj.dll []
{B2DEC5DB-BB0B-44DA-9961-B8C0600761C8}=C:\WINDOWS\system32\vtsqo.dll []
{F5E924A5-3D05-4652-BB2F-EF3478A393F6}=C:\WINDOWS\system32\ssttr.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="C:\Program Files\Mouse\Amoumain.exe" [2003-01-07 18:55]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 18:36]
"CARPService"="carpserv.exe" [2003-01-09 13:42 C:\WINDOWS\system32\carpserv.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"nwiz"="nwiz.exe" [2002-11-18 15:15 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-10 11:29]
"JeticoPFStartup"="C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-18 23:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cacheman"="C:\PROGRA~1\Cacheman\Cacheman.exe" [2002-02-10 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸K0¨4W]
C:\WINDOWS\wrqewmob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-09 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2005-06-13 17:02:32 C:\WINDOWS\tasks\XoftSpy.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 17:47:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [2012]


scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-11 17:48:12
C:\ComboFix-quarantined-files.txt ... 2007-06-11 17:47

--- E O F ---







Incident Status Location

Virus:Trj/Mitglieder.DC!CME-766 Disinfected C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\msd3o7pi.slt\Mail\pop.uniserve.com\Inbox[6.zip][01_05_2005.exe]
Virus:Trj/Mitglieder.DC!CME-766 Disinfected C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\msd3o7pi.slt\Mail\pop.uniserve.com\Trash[6.zip][01_05_2005.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User\My Documents\Downloads\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\Nailfix.zip[Nailfix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\New Folder\Nailfix\Process.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\gxiiquae.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\NPROTECT\00123936.dll
Virus:Trj/Clicker.ACO Disinfected C:\RECYCLER\S-1-5-21-782189750-2106517767-3757435101-500\Dc4.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cdhinqvd.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\dxiniiui.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkklj.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mljhihf.dll.bad
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\oxrtmxhf.dll.bad
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\qwqqhavo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vtsqo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vtstu.dll.bad
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\yfplehbt.dll.bad
Virus:Trj/Keyhost.A Disinfected C:\WINDOWS\inf\host.inf
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe





Logfile of HijackThis v1.99.1
Scan saved at 7:39:39 PM, on 06/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {47057EFC-2DD2-475A-A41B-BF74B05A5319} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {B2DEC5DB-BB0B-44DA-9961-B8C0600761C8} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {F5E924A5-3D05-4652-BB2F-EF3478A393F6} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC56EDF3-E542-4036-9160-0511D7211541}: NameServer = 64.59.168.13,64.59.168.15
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware2005\cwproto.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 12th, 2007, 9:52 am

Hello WarrenChernoff,

Thanks for posting logs.

This is next:

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O2 - BHO: (no name) - {1B041C3A-2697-47D1-A0A5-2DDFEBCC96B6} - C:\WINDOWS\system32\vtstu.dll (file missing)
    O2 - BHO: (no name) - {47057EFC-2DD2-475A-A41B-BF74B05A5319} - C:\WINDOWS\system32\jkklj.dll (file missing)
    O2 - BHO: (no name) - {B2DEC5DB-BB0B-44DA-9961-B8C0600761C8} - C:\WINDOWS\system32\vtsqo.dll (file missing)
    O2 - BHO: (no name) - {F5E924A5-3D05-4652-BB2F-EF3478A393F6} - C:\WINDOWS\system32\ssttr.dll (file missing)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

Restart computer

------------------------------------------------------

Please do an online scan with Kaspersky Online Scanner

Notice!
A new version of Kaspersky Virus Scanner has been released on August 8, 2006. If you have installed a previous version, you must unistall that program first before installing the new version. To uninstall, please go to the computer control panel and select "Add/Remove Programs." Close all Internet Explorer windows before uninstalling the Kaspersky Online Scanner.
Note* You must use Internet Explorer for the scan not Firefox if you have it.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As button:
    • Save the file to your desktop.
    • File Type: Text file (*.txt).
    • Name: Kav.txt for example
  • Copy and paste that information in your next post.
==========================

Post in your next reply:
Kaspersky scan report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 12th, 2007, 11:17 pm

KASPERSKY ONLINE SCANNER REPORT
June 12, 2007 8:14:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/06/2007
Kaspersky Anti-Virus database records: 342808
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 119254
Number of viruses found: 9
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:45:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Jetico\Jetico Personal Firewall\firewall.1.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gxiiquae.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\RECYCLER\NPROTECT\00123936.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP421\A0071816.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071979.exe Infected: Trojan-Downloader.Win32.Tiny.he skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071980.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071981.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071982.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071983.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP422\A0071984.dll Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{248E5920-17CF-46B2-BD8F-FA6DF98A7CEE}\RP423\A0072037.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\VundoFix Backups\cdhinqvd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\dxiniiui.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\jkklj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\mljhihf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\oxrtmxhf.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\qwqqhavo.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ssttr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\vtsqo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\vtstu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\yfplehbt.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6557.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4b0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 8:16:53 PM, on 06/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC56EDF3-E542-4036-9160-0511D7211541}: NameServer = 64.59.168.13,64.59.168.15
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware2005\cwproto.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm

Unread postby tim s » June 12th, 2007, 11:42 pm

Hello WarrenChernoff,

Great job. The files pick up in scan are in removal tools which we will delete now.

These tools I had you download are of no longer any use as they update so frequently that fresh copies have to be downloaded when needed.

Delete tools:
VundoFix.exe and C:\vundofix.txt
combofix.exe and C:\QooBox


Make sure to empty recycle bin, too

Let me know how your computer is running now?


-------------------------------------------------------------------

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - You are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:

    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is purityscan please post as a reply, you will need to register to do so. It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.



Tim s
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby WarrenChernoff » June 13th, 2007, 12:46 am

Thank you !!
WarrenChernoff
Active Member
 
Posts: 8
Joined: June 9th, 2007, 7:22 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware