Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Visited the wrong forum and all i got was this lousy infecti

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Visited the wrong forum and all i got was this lousy infecti

Unread postby elrandor » October 14th, 2007, 4:20 pm

I've done all but re-install which I hate doing, so I thought I'd give you guys a try.

I have Ad-Aware SE and Spybot S&D

I tried the bitdefender, but it seemed to me in infect me more

and none of them seemed to be able to get it all.
used some of the online scans. some froze, others only found problems and then asked for money(couldn't do without some type of testimonial or other guarentee)

alot of pop ups, Everytime a new explorer is opened, it resets the Privacy value to accept all cookies.. I usually have it prompt me when a cookie wants on my system.

any help from you would be very grateful

anyhow, on with the show:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:29:18 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\fhbddeat.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\b\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sinfulrum.sinnerz.org/cgi-bin/ik ... bd30d873d&
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {11D4DF68-827F-4061-3F8F-8EA6C38EC557} - C:\Program Files\WindowsUpdate\quzakew.dll (file missing)
O2 - BHO: (no name) - {3914CAA4-6BD5-419D-8ACC-8E78E1848071} - C:\Program Files\Common Files\menoq4444.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\fqrvqaib.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {90B6A8D8-F962-4A3C-B577-2C45F6748025} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dhhuwvll.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C9E79ED9-D2CF-4CC9-9C4E-2EEA7C3F2E24} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {E2EF984C-F4ED-4221-856F-A13B9BDEF2D2} - C:\Program Files\Common Files\menoq83122.dll
O2 - BHO: (no name) - {FF8CD237-A972-40B8-873C-12CD7F06AE69} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dhhuwvll.dll
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB003" /M "Stylus CX4600"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] I:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\etfbswtg.dll",sitypnow
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA2006] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFF7A4.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3152] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFF7A4.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4108] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFAAF1.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2089] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFAAF1.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1592] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF9814.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC561] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF9814.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5296] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF77A4.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9533] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF77A4.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8513] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF755B.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1931] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF755B.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9574] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF649C.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7185] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF649C.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2623] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF61A1.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6141] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF61A1.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1609] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF5C80.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC966] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF5C80.tmp"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8210] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFF7A4.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3663] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFF7A4.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3241] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFAAF1.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8237] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DFAAF1.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9278] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF9814.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2993] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF9814.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9613] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF77A4.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD477] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF77A4.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB786] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF755B.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5615] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF755B.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5370] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF649C.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8232] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF649C.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB557] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF61A1.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2158] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF61A1.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1300] command /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF5C80.tmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4550] cmd /c del "C:\Documents and Settings\b\Local Settings\Temp\~DF5C80.tmp"
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.deviantart.com
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.letsplaychess.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.xfire.com
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O16 - DPF: {0C7F3F20-8BAB-11D2-9432-00C04F8EF48F} (Downloadable Speech API) - http://activex.microsoft.com/activex/co ... pchapi.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Downl ... e-c283.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-18.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 8245011437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8245003734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/fil ... nstall.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/co ... v_enua.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\b\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter hijack: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - (no file)
O20 - Winlogon Notify: dhhuwvll - C:\WINDOWS\SYSTEM32\dhhuwvll.dll
O20 - Winlogon Notify: hgghhif - C:\WINDOWS\SYSTEM32\hgghhif.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\fhbddeat.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtejexaq.html

--
End of file - 14666 bytes
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm
Advertisement
Register to Remove

Unread postby askey127 » October 15th, 2007, 7:25 am

elrandor,
Your computer is VERY seriously infected with a variety of malicious software. There is some risk we can't get it all, and I don't know yet how much there is. Please do each task I ask, in the order requested, and please do not download or run anything else.
If there is anything you cannot do, please post back and ask.
-------------------------------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the older version 1.4, Click on Exit Spybot S&D Resident
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident (shows a red/white shield).
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
-----------------------------------------------------------
YOU HAVE NO ANTI-VIRUS PROGRAM
Download just one of these free anti-virus programs, update it and run a full scan. Have it fix anything it finds.
*Grisoft AVG from here : http://free.grisoft.com/doc/1
*AntiVir Free from here : http://www.free-av.com/
*Avast Home Edition from here : http://www.avast.com/eng/down_home.html
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O15 - Trusted Zone: *.deviantart.com
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.letsplaychess.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.xfire.com
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
We need to rename HijackThis.exe to reveal.exe
Right button-click on the file named HijackThis.exe on your Desktop, and select Rename.
Type in the new filename as reveal.exe
Hit <Enter>
-----------------------------------------------------------
From Start, Settings, Control Panel or Start, Control Panel, double-click Security Center and verify that it shows Firewall ON. If not click the down arrow and turn it ON.
-----------------------------------------------------------
Post a New HiJackThis Log

Reboot your computer. Start HijackThis (reveal.exe).

Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of CCleaner's install.txt on your desktop.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby elrandor » October 15th, 2007, 12:22 pm

Thanks a mil.

I just noticed this.. my date and time keep resetting (1/1/2002)

Revealthis (Hijackthis):

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:15:23 PM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\NOTEDAD.EXE
C:\Program Files\ISM2\ISMPack6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\b\Desktop\reveal.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sinfulrum.sinnerz.org/cgi-bin/ik ... bd30d873d&
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {11D4DF68-827F-4061-3F8F-8EA6C38EC557} - C:\Program Files\WindowsUpdate\quzakew.dll (file missing)
O2 - BHO: (no name) - {2C8E134E-E93B-4C3D-8A91-7E5046A9ED89} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {3914CAA4-6BD5-419D-8ACC-8E78E1848071} - C:\Program Files\Common Files\menoq4444.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\fqrvqaib.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {90B6A8D8-F962-4A3C-B577-2C45F6748025} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {98E0E35C-4A46-42E7-BF15-2B9E000541EB} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C9E79ED9-D2CF-4CC9-9C4E-2EEA7C3F2E24} - (no file)
O2 - BHO: (no name) - {E2EF984C-F4ED-4221-856F-A13B9BDEF2D2} - C:\Program Files\Common Files\menoq83122.dll
O2 - BHO: (no name) - {FF8CD237-A972-40B8-873C-12CD7F06AE69} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB003" /M "Stylus CX4600"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] I:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\imoihecv.dll",sitypnow
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C7F3F20-8BAB-11D2-9432-00C04F8EF48F} (Downloadable Speech API) - http://activex.microsoft.com/activex/co ... pchapi.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Downl ... e-c283.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-18.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 8245011437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8245003734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/fil ... nstall.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/co ... v_enua.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\b\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter hijack: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - (no file)
O20 - Winlogon Notify: hgghhif - C:\WINDOWS\SYSTEM32\hgghhif.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtejexaq.html

--
End of file - 10851 bytes

install file

Ad-Aware SE Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
AVG Anti-Spyware 7.5
CCleaner (remove only)
Chessmaster 9000
Community Expansion Pack version 1.50
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Creative PC-CAM 300 Driver
Creative PC-CAM 300 Manual (English)
Creative PC-CAM Center
Creative WebCam Monitor
Creative WebCam PhotoEditor
DAO
DivX Player
DivX Pro Codec Adware
DivX Web Player
Evil Genius
Form Fill (Windows Live Toolbar)
GdiplusUpgrade
Guild Wars
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.0
Hotfix for Windows XP (KB926239)
InCD (ahead software)
Ipswitch WS_FTP Home 2006
iTunes
J2SE Runtime Environment 5.0 Update 6
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.14.8
Macromedia Shockwave Player
Map Button (Windows Live Toolbar)
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MSN Music Assistant
Nero - Burning Rom
Nintendo Wi-Fi USB Connector Registration Tool
Norton Spyware Scan - Yahoo!
Norton Spyware Scan provided by Yahoo!
NVIDIA Drivers
Panda ActiveScan
PixMaker
PixScreenCE_1.5
Popup Blocker (Windows Live Toolbar)
QuickTime
RealPlayer
Rhapsody
Rhapsody Player Engine
Shockwave
Smart Menus (Windows Live Toolbar)
SpeechRedist
Spybot - Search & Destroy
Tabbed Browsing (Windows Live Toolbar)
Tablet
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
The Print Shop 20
The Print Shop Premium Fonts
Ulead Photo Express 4.0 My Custom Edition
Unreal Tournament
Update for Windows XP (KB898461)
WebFldrs XP
WinAce Archiver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB890175
Windows XP Service Pack 2
WinRAR archiver
WinZip
Xfire (remove only)
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm

Unread postby askey127 » October 15th, 2007, 12:42 pm

elrandor,
Thanks for the list and log.

YOU STILL HAVE NO ANTI-VIRUS PROGRAM
Don't ignore this instruction just because you have AVG anti-spyware installed. It's good but not sufficient. AVG AntiVirus and the others here are different programs.

Download just one of these free anti-virus programs, update it and run a full scan. Have it fix anything it finds.
*Grisoft AVG from here : http://free.grisoft.com/doc/1
*AntiVir Free from here : http://www.free-av.com/
*Avast Home Edition from here : http://www.avast.com/eng/down_home.html
------------------------------------------------------------
Please download VundoFix.exe and Save to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix will encounter a file it cannot remove.
    In that case, VundoFix will run on reboot. Simply repeat the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis (reveal.exe) log.


askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby elrandor » October 18th, 2007, 7:49 am

sorry, I thought the AVG(Grisoft) was the same as the AVG i already had. I installed that and it found 17 viruses and got rid of 12..

Here are the logs:

HiJack/reveal this:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:05:44 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\tbqfsmcs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\b\Desktop\reveal.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sinfulrum.sinnerz.org/cgi-bin/ik ... bd30d873d&
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {11D4DF68-827F-4061-3F8F-8EA6C38EC557} - C:\Program Files\WindowsUpdate\quzakew.dll (file missing)
O2 - BHO: (no name) - {3914CAA4-6BD5-419D-8ACC-8E78E1848071} - C:\Program Files\Common Files\menoq4444.dll
O2 - BHO: (no name) - {3FD37AD5-C7BB-40A9-A2AD-854D18B5315D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\fqrvqaib.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {90B6A8D8-F962-4A3C-B577-2C45F6748025} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {98E0E35C-4A46-42E7-BF15-2B9E000541EB} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C9E79ED9-D2CF-4CC9-9C4E-2EEA7C3F2E24} - (no file)
O2 - BHO: (no name) - {E2EF984C-F4ED-4221-856F-A13B9BDEF2D2} - C:\Program Files\Common Files\menoq83122.dll
O2 - BHO: (no name) - {F9221B1B-78C0-49A6-B0CB-83882D64048E} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {FF8CD237-A972-40B8-873C-12CD7F06AE69} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB003" /M "Stylus CX4600"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] I:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\kxwpfdcf.dll",sitypnow
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6dbd71fa876342cb84595ba0fcda57d8
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C7F3F20-8BAB-11D2-9432-00C04F8EF48F} (Downloadable Speech API) - http://activex.microsoft.com/activex/co ... pchapi.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Downl ... e-c283.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-18.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 8245011437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8245003734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/fil ... nstall.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/co ... v_enua.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\b\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter hijack: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - (no file)
O20 - Winlogon Notify: hgghhif - hgghhif.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tbqfsmcs.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtejexaq.html

--
End of file - 11427 bytes


Vundo log:


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:04:39 PM 10/17/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:59:47 PM 10/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


I scan using vundo, then go to remove as per instructed, but computer just sits there. asks if i want to remove vundo, but does nothing else

(i am posting from another computer. I tried for 2 days to post from my own to no avail. still coming up "No post mode selected")
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm

Unread postby askey127 » October 18th, 2007, 8:55 am

elrandor,
----------------------------------------------------
I am sorry to be the bearer of bad news but unfortunately, you have a very dangerous infection, "W32/Agobot-LF" with "backdoor" capabilities, among others.
This gives remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
It comes from not having Windows updates on the machine.

You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Because of the infection's backdoor functionality, the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).
If you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so, but it can be expected to be long and difficult. This is your choice to make.

To help you make a more informed decision, you can read the following articles:

Should you have any questions, please feel free to ask.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby elrandor » October 18th, 2007, 11:08 am

so your saying a clean fresh reformat will rid myself of this bug..

I have partitioned the drive into several smaller drives. I understand that I will have to re-do those as well.

Can you tell me which drive that the infection stems from?

is it on the D: drive?
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm

Unread postby askey127 » October 18th, 2007, 12:03 pm

elrandor,
The Remote access worm is here. It can do anything it pleases.
O4 - HKLM\..\RunServices: [winlog] winlog.exe
It is located in C:\Windows\System32\

Where the other infections are located, I don't know yet..and there are others, I just didn't need to go further.

It's only safe to save Data files ( file types doc,txt,rtf,xls,ppt), but NO programs, and especially, NO files ending in (exe,com,dll)
Datafiles are usually just ones that you wrote. After you save what you need, reformat all partitions. Do NOT do a repair install. That will leave the infections.

Download a free Antivirus installer to a clean computer, and save it on a CD or clean flash drive.
Unplug the Internet cable to Reformat all drives and ReInstall Windows. Then install your Antivirus from flash or CD. THEN plug in the Internet cable and go directly to MicroSoft and get ALL the updates. Do this before installing any other programs.
(The average time to get an online infection for a PC with no updates and no AntiVirus is five minutes).
Next item is to update your AntiVirus.

If you want to do the work,and it's important to you, run a kaspersky scan and only look at lines in KAV.TXT that have the word "infected"
To See if any are on D:\ or other drives.
(Registry entries HKey... are all on C:\ drive)
The infections you have may or may not allow it.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby elrandor » October 18th, 2007, 4:48 pm

can one have too many anti-spam / anti-virus programs running on a computer?

what are the pro's and con's of this.

you may send this topic to the solved area as I will be doing a system format with in the next week.

thanks for your assistance

Elrandor
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm

Unread postby askey127 » October 18th, 2007, 6:45 pm

You can have ONLY ONE ANTI-VIRUS.
Running more can make Windows unstable and reduce protection.

You can run more than one Anti-spyware, Like Super Anti-Spyware, or Spysweeper, or AVG Anti-Spyware, but one will probably do.

Ad-aware and Spybot are not quite as able to remove things.
If you install Spybot, good, but don't choose to install TeaTimer.

Anti-Spam programs don't cause big trouble, but I would use one at a time, and pick the one I liked best.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby elrandor » October 18th, 2007, 10:45 pm

which is the most used anti-virus among you teachers?
elrandor
Active Member
 
Posts: 6
Joined: October 13th, 2007, 1:45 pm

Unread postby askey127 » October 19th, 2007, 6:53 am

We don't recommend specific products among AntiVirus applications.
There are lots of competent ones - look here:
http://support.microsoft.com/kb/49500
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » November 8th, 2007, 3:59 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware