Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help please

Unread postby harnage1 » April 27th, 2008, 1:49 pm

This is my logfile, if anyone could help me it would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:20 PM, on 4/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
O2 - BHO: (no name) - {6216444d-3331-48be-9aae-1a8334cb1e48} - C:\WINDOWS\System32\geBuTnNF.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Ron Johnson\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Ron Johnson\cftmon.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: opnkkjka - opnkkjKA.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 6025 bytes
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm
Advertisement
Register to Remove

Re: Help please

Unread postby km2357 » April 27th, 2008, 3:36 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby km2357 » April 27th, 2008, 3:55 pm

I see that you have not yet updated to Windows XP SP2. Do not update to SP2 until I have determined that your computer is clean.

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Step # 1: Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)


Step # 2 Download CCleaner

Download CCleaner from here to clean temp files from your computer.
  • Double click on the ccsetup.exe file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location.
  • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
  • Click Install then finish to complete installation.


Step # 3 Retrieve the Installed Programs List from CCleaner

Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.


Step # 4: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Step # 5: Run SDFix

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


In your next post/reply, I need to see the following:

1. SDFix Report
2. CCleaner Uninstall List
3. A fresh HiJackThis Log taken after SDFix has run.

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby harnage1 » April 27th, 2008, 5:01 pm

SDFix: Version 1.176
Run by Ron Johnson on Sun 04/27/2008 at 03:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
widuxngq

Path :
\??\C:\WINDOWS\widuxngq.sys

widuxngq - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\8.TMP - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\Ron Johnson\cftmon.exe - Deleted
C:\Documents and Settings\Ron Johnson\Application Data\Install.dat - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\DOCUME~1\RONJOH~1\LOCALS~1\Temp\calc.exe - Deleted
C:\DOCUME~1\RONJOH~1\LOCALS~1\Temp\msprint.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\Temp\$_2341233.TMP - Deleted
C:\WINDOWS\Temp\$_2341234.TMP - Deleted
C:\WINDOWS\Temp\$_2341235.TMP - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted
C:\WINDOWS\Web\def.htm - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\widuxngq.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 15:49:50
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 7 Aug 2007 6,421 ..SH. --- "C:\WINDOWS\system32\vvvyb.bak1"
Tue 14 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064939.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064940.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064941.exe"
Sat 19 Apr 2008 23,338 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064942.dll"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064943.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069112.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069113.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069114.exe"
Sat 19 Apr 2008 23,338 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069115.dll"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069116.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071244.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071245.exe"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071246.exe"
Sat 19 Apr 2008 23,338 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071247.dll"
Sat 19 Apr 2008 16,464 A.SH. --- "C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071248.exe"
Sun 27 Apr 2008 54,807,786 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ff1abc45bb4b51f55d5dd49be852a17a\BITB.tmp"
Sun 27 Apr 2008 4,188,496 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f44a8760e63412f193188dc31bdd5121\BITA.tmp"
Sun 27 Apr 2008 2,367,240 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5ad35005cb1cf6ab0e5d8906b81ef3e1\BIT9.tmp"
Sun 27 Apr 2008 1,131,560 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8d19e7b16e1dafba6906abfdd61b4f9\BIT5.tmp"
Sun 27 Apr 2008 2,295,632 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bf56b0f3cf2ed2445c92d62b2f0fc041\BIT28.tmp"
Sun 27 Apr 2008 8,548,984 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3f1ad5a723e2729f385d5d1d348dae42\BITE.tmp"
Sun 27 Apr 2008 448,693 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299962a31e45d27ead63e99f90e24465\download\BIT2D.tmp"
Sun 27 Apr 2008 108,399 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2dde58e204c4be402ccbbcd0b600650e\download\BIT2E.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fec3752563e444ecc6182e8b7e8bd110\download\BIT11.tmp"
Sun 27 Apr 2008 56,566 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0030edf27ee9d030b5e38566d2514790\download\BIT2.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\92554586f3df257ccc6f5cd3e1efab22\download\BIT23.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d45f88747992924d2f8a55141b129dbd\download\BIT25.tmp"
Sat 26 Apr 2008 4,005,331 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26850ce336513bfee15ef865c4e6576c\download\BIT19.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\17b5dc397be04188db1a7e941038c6f2\download\BIT27.tmp"
Sun 27 Apr 2008 1,919,453 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac3f490121f580bfb62d9d495aa2b215\download\BIT2F.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a1394c19ce964344512c4b8ba52cbec5\download\BITC.tmp"
Sun 27 Apr 2008 398,015 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94ee68f37097c1148365727afa16d894\download\BIT2F.tmp"
Sun 27 Apr 2008 1,613,689 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\409eeb5b15ac5b9aeee323d7da0f978c\download\BIT4.tmp"
Sun 27 Apr 2008 2,259,852 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d603631fa5c5558c772d54d44369b54f\download\BITD.tmp"
Sun 27 Apr 2008 750,541 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a99eb7d5ff79aed3ff0979cb81b4434b\download\BITB.tmp"
Sun 27 Apr 2008 605,945 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4730fbe8056ad6eb56eb6cc23d82cd01\download\BIT36.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\354472c20c6e7a38bfd2b1b859e56276\download\BITF.tmp"
Sun 27 Apr 2008 355,352 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5217f632c60d0e2abd68621d2a7b05b9\download\BITA.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6aa2d4bcedcee9617227cafceab09f02\download\BITD.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f800fb87a28ec4ca869706531385e23a\download\BIT3B.tmp"
Sun 27 Apr 2008 906,113 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d5cb53f40c94c45549672fbf4eb14b2\download\BIT7.tmp"
Sun 27 Apr 2008 1,974,817 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ec3e2e6b3f1b25baadb3a70dfe94cd10\download\BIT8.tmp"
Sun 27 Apr 2008 262,997 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c4989c7d9cfedbbe50931f1ce8778e69\download\BITE.tmp"
Sun 27 Apr 2008 465,029 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1410961c7f4f5684c30d6b41322b3e42\download\BIT4.tmp"
Sun 27 Apr 2008 1,220,563 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\785bc23a82784977fa64552e9bb4a6ab\download\BIT2.tmp"
Wed 17 Oct 2007 20 A..H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 14 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Wed 17 Oct 2007 1,536 A..H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 13 Sep 2005 312 ...H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv2key.bak"
Sun 2 Dec 2007 4,677,120 ...H. --- "C:\Documents and Settings\Ron Johnson\Application Data\Microsoft\Word\~WRL3474.tmp"

Finished!
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby harnage1 » April 27th, 2008, 5:02 pm

CCleaner list

Adobe Flash Player ActiveX
Adobe Reader 7.0
Agere Systems PCI Soft Modem
ArcSoft Panorama Maker 3
CCleaner (remove only)
Championship Mah Jongg
Diablo II
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Fable - The Lost Chapters
HijackThis 2.0.2
Internet Explorer Q903235
iTunes
Java 2 Runtime Environment, SE v1.4.2
Java(TM) SE Runtime Environment 6 Update 1
Manga Studio Debut 3.0
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Office PowerPoint Viewer 2003
Microsoft Picture It! Photo 2002
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser
Morrowind
Nero - Burning Rom
Nikon Message Center
PictureProject
PictureProject In Touch Downloader 1.0
Police Chase
QuickTime
RealPlayer
Roxio UDF Reader
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Shockwave
Spyware Terminator
True Love
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix (SP2) Q329441
WinRAR archiver
Works Suite OS Pack
Works Synchronization
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby harnage1 » April 27th, 2008, 5:03 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:29 PM, on 4/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
O2 - BHO: (no name) - {6216444d-3331-48be-9aae-1a8334cb1e48} - C:\WINDOWS\System32\geBuTnNF.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: opnkkjka - opnkkjKA.dll (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5364 bytes
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby km2357 » April 28th, 2008, 1:59 am

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition


Download and install only one!


Step # 1 Remove Viewpoint Media Player

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove.


Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO


Step # 3: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)

    O2 - BHO: (no name) - {6216444d-3331-48be-9aae-1a8334cb1e48} - C:\WINDOWS\System32\geBuTnNF.dll (file missing)

    O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM

    O18 - Filter hijack: text/html - (no CLSID) - (no file)

    O20 - Winlogon Notify: opnkkjka - opnkkjKA.dll (file missing)



    If an Administrator has not set a policy restricting access to Internet Explorer settings and you have not configured any software such as Spybot S & D or a similar program to prevent changing Internet Explorer settings, then you can also fix these O6 entries with HijackThis:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.



Step # 4: Deleting Files/Folders

I need you to use Windows Explorer to delete the files I have marked in Red(if found):

C:\WINDOWS\system32\vvvyb.bak1
C:\WINDOWS\System32\geBuTnNF.dll
C:\WINDOWS\System32\opnkkjKA.dll



Step # 5 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby harnage1 » April 28th, 2008, 10:18 am

Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Full Scan (C:\|)
Objects scanned: 64523
Time elapsed: 54 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 78

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b9c0c274-b262-4635-bfaf-e72b6e4ac2ff} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c8cc4aa8-1a6f-4e01-a31b-f22ad0b695a5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\byvvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vvvyb.bak1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aqswymnf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fnmywsqa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnonml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdnsipgq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpmrdear.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcdevnsh.dll.ren (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ephjnknd.dll.ren (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\LastGood\System32\Macromed\Download\Install.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP540\A0064854.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064935.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064936.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064939.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064940.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064941.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064942.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064943.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064944.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064945.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064973.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0064974.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0065975.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0067007.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0067008.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP541\A0067009.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069110.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069111.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069112.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069113.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069114.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069115.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069116.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069117.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069118.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069119.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP542\A0069120.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071164.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071165.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071241.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071242.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071244.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071245.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071246.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071247.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071248.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071249.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071250.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071268.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071269.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071281.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071282.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071283.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071319.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071320.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071328.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071330.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP543\A0071336.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP557\A0071696.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP557\A0071700.vxd (Adware.Winad) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP557\A0071707.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP559\A0071718.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP559\A0071719.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP559\A0071723.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP559\A0071726.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP561\A0071753.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP563\A0071795.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP563\A0071796.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP563\A0071797.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071817.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071818.EXE (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071825.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071826.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071827.exe (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron Johnson\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby harnage1 » April 28th, 2008, 10:20 am

This item you told me to fix will not go away.
O18 - Filter hijack: text/html - (no CLSID) - (no file)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:50 AM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 4926 bytes
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby km2357 » April 28th, 2008, 2:56 pm

Looking over you log, it still appears that you have not installed an AntiVirus yet. Please install one of the AntiVirus programs below, otherwise you can easily get infected/reinfected again.

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition


Download and install only one!


Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.


Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php



Step # 2 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java 2 Runtime Environment, SE v1.4.2

    Java(TM) SE Runtime Environment 6 Update 1


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 3: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Step # 4: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    O18 - Filter hijack: text/html - (no CLSID) - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Reboot your computer back into Normal Mode.


Step # 5: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt


In your next post/reply, I need to see the following:

1. Kaspersky Results (KAV.txt)
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby harnage1 » April 29th, 2008, 12:33 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 11:31:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 729772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\

Scan Statistics:
Total number of scanned objects: 35894
Number of viruses found: 13
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:09:09

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\gpnqtgvd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\Download\ff1abc45bb4b51f55d5dd49be852a17a\BITB.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe/data0014 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe/data0015 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe/data0016 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe NSIS: infected - 3 skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ron Johnson\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\Ron Johnson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron Johnson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WPE PRO.exe Infected: Sniffer.Win32.WpePro.a skipped
C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WpeSpy.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\Documents and Settings\Ron Johnson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ron Johnson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron Johnson\ntuser.dat Object is locked skipped
C:\SDFix\backups\backups.zip/backups/cftmon.exe Infected: Trojan-Downloader.Win32.Agent.njn skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/b104.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\SDFix\backups\backups.zip/backups/UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip/backups/def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\SDFix\backups\backups.zip ZIP: infected - 9 skipped
C:\SDFix\backups\catchme.zip/spools.exe Infected: Trojan-Downloader.Win32.Agent.njn skipped
C:\SDFix\backups\catchme.zip/widuxngq.sys Infected: Rootkit.Win32.KernelBot.e skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP566\change.log Object is locked skipped
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071815.exe Infected: Trojan-Downloader.Win32.Agent.njn skipped
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071816.exe Infected: Trojan-Downloader.Win32.Agent.njn skipped
C:\System Volume Information\_restore{7BF94E2C-849D-4671-AC7D-DFB25E71C68A}\RP564\A0071824.exe Infected: Trojan-Downloader.Win32.Agent.njn skipped

Scan process completed.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby harnage1 » April 29th, 2008, 12:34 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:28 PM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5030 bytes
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby harnage1 » April 29th, 2008, 12:38 am

My computer is running almost al well as it was before the spyware infestation but have been plagued by a slower download speed than usual.
I have dial up, so my usual download speed is 4.5 kbs but now it runs between 2.5 to 3.7 kbs.

Also i have an anti-virus program it is integrated into my antispyware program, Spyware Terminator.

I cannot delete the old versions of java.
Java 2 Runtime Environment, SE v1.4.2, my computer brings up a warning saying
"The installation source for this product is not available. Verify that the source exists and that you can access it."

Java(TM) SE Runtime Environment 6 Update 1
It brings up a window saying, " Fatal error during installation"
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby km2357 » April 29th, 2008, 2:52 am

The Kaspersky results showed some infected Restore Points. Those are harmless where they are, I'll show you how to remove them and set a new one in the next post or so. It also listed the files in SDFix's backup folder, those are fine where they are for now.

Did you knowningly download Winsock Packet Editor Pro?

Step # 1 Download and Run OTMoveIt2


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\gpnqtgvd.dll
    C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I also see that the 018 line is still there, try disabling Spyware Terminator's RealTime Shield and then fixing that line in HiJackThis.

I'll ask my peers about the Java uninstallation errors to see if they have anything to say about them.

In your next post, I need to see the following:

1. The OTMoveIT2 Log
2. A fresh HiJackThis Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby harnage1 » April 29th, 2008, 2:13 pm

DllUnregisterServer procedure not found in C:\WINDOWS\system32\gpnqtgvd.dll
C:\WINDOWS\system32\gpnqtgvd.dll NOT unregistered.
C:\WINDOWS\system32\gpnqtgvd.dll moved successfully.
C:\Documents and Settings\All Users\Documents\AOL Downloads\my stuff\My Pictures\Cdvd.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04292008_121210


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:40 PM, on 4/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5029 bytes

No matter what i try the 018 file won't be removed.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware