Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP - Log attached

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP - Log attached

Unread postby dshakes » July 20th, 2007, 4:38 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:47 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
\csdlancnas1\public\enercalc\ec58.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\LSUpdateManager.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dns.CSDAVIDSONMS\Desktop\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A2C65F22-4D32-4A85-9C8A-6716A393FEA1} - C:\WINDOWS\system32\awvvt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA6F866F-971D-4F77-BE35-C927BD2447DE} - \
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxyyx.dll (file missing)
O2 - BHO: (no name) - {f9957425-0405-4a41-a12c-9073300f4dae} - C:\WINDOWS\system32\jhgqpiq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [{F6-6D-DB-B9-ZN}] C:\windows\system32\nodsrego.exe SKY009
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll
O20 - Winlogon Notify: byxxyyx - byxxyyx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9483 bytes
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm
Advertisement
Register to Remove

Unread postby beynac » July 20th, 2007, 4:49 pm

Welcome to Malware Removal forum.

VundoFix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please post, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

as requested...

Unread postby dshakes » July 20th, 2007, 5:05 pm

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:50:25 PM 7/20/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!




And the HijackThis.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:04 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Documents and Settings\dns.CSDAVIDSONMS\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\dns.CSDAVIDSONMS\Desktop\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A2C65F22-4D32-4A85-9C8A-6716A393FEA1} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA6F866F-971D-4F77-BE35-C927BD2447DE} - \
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxyyx.dll (file missing)
O2 - BHO: (no name) - {f9957425-0405-4a41-a12c-9073300f4dae} - C:\WINDOWS\system32\jhgqpiq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [{F6-6D-DB-B9-ZN}] C:\windows\system32\nodsrego.exe SKY009
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O20 - Winlogon Notify: byxxyyx - byxxyyx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9289 bytes
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 20th, 2007, 6:22 pm

There's quite a lot to do in this post. Take it one step at a time. Stop and ask if you have any problems or questions.

------------------------------------------------

I would like you to run VundoFix again.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right-click inside the listbox (white box) and click add more files
  • Copy/paste the following into the top text box: C:\WINDOWS\system32\jhgqpiq.dll
  • Click Add Files and click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

------------------------------------------------

You are running HijackThis from your Desktop. We need to move this into its own folder so that its backup files are kept safe.
  • Click on Start, then My Computer
  • Double click on your Local Disk (usually C:\).
  • Double click to open the Program Files folder.
  • Right click on the right hand panel and select New then Folder.
  • Rename the new folder HijackThis.
  • Locate the HijackThis program file (Scanner.exe) on your Desktop, right-click on it and select Cut.
  • Open the new C:\Program Files\HijackThis folder and paste the program into it.
Always run HijackThis from this new location (create a shortcut on your desktop).

----------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O2 - BHO: (no name) - {A2C65F22-4D32-4A85-9C8A-6716A393FEA1} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: (no name) - {CA6F866F-971D-4F77-BE35-C927BD2447DE} - \
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxyyx.dll (file missing)
O2 - BHO: (no name) - {f9957425-0405-4a41-a12c-9073300f4dae} - C:\WINDOWS\system32\jhgqpiq.dll
<< This could have "(file missing)" at the end
O4 - HKLM\..\Run: [{F6-6D-DB-B9-ZN}] C:\windows\system32\nodsrego.exe SKY009
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O20 - Winlogon Notify: byxxyyx - byxxyyx.dll (file missing)


Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

-------------------------------------------

HijackThis may not remove all of the files relating to the fixed items. We therefore need to check this and delete them if necessary. First we need to make sure that you can see all of the files.
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Advanced Settings:
    • Under Hidden files and folders, select Show hidden files and folders
    • Uncheck Hide extensions for known file types
    • Uncheck Hide protected operating system files (Recommended)
  • Click Apply to All Folders
  • Click Yes to confirm
  • Click OK
-----------------------------------------------

ATF Cleaner by Atribune ©

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
-----------------------------------------------------

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

You will need to update the program:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
Please check/change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Delete Files and Folders

Click on Start then My Computer, find the following files and folders (highlighted in red) and delete them, if present. Don't worry if any are missing, but please let me know.
  • C:\Program Files\Web Buying\ <- Delete the folder
  • C:\Program Files\WinPop\ <- Delete the folder
  • C:\WINDOWS\system32\dwdsregt.exe <- File only
  • C:\windows\system32\nodsrego.exe <- File only
----------------------------------------------

Run AVG Anti-Spyware:

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
-----------------------------------------------------------------

Reboot in Normal Mode

----------------------------------------------------

Please run another HijackThis scan and post the following, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • The AVG Anti-Spyware report
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 10:45 am

OK, here comes what you asked for...and thanks alot...

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:26:39 AM 7/23/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\jhgqpiq.dll
C:\WINDOWS\system32\jhgqpiq.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:44 AM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8924 bytes


For some reason, the AVG report didnt save to my desktop and I don; thave time right now at work to re run the scan. I do know that it cleared everything that came up in the scan. I hope this is alright...How do the above scans look???
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 10:55 am

Also, the files you said to delete in safe mode where not there....
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 11:11 am

One other thing, I keep running Spybot S&D and Smitfraud-C.CoreService keeps coming up and I am unable to remove those files...
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 11:12 am

OK, cancel that last post, I just got files removed....
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 11:22 am

Hi.

How do the above scans look???

VundoFix has done its job and the HijackThis log appears to be clean.

Also, the files you said to delete in safe mode where not there....

That's not a problem. The important thing is that they are not there now. Thanks for letting me know.

I would like to see the AVG Anti-Spyware report, if possible. Open the program and click on the Reports tab. The report should be shown. Click to select it then copy the text in the right-hand pane and post it as a reply to this thread. There is no need to run another scan at the moment.

------------------------------------------------

I cannot see any sign that you are using a firewall. Are you using Windows XP Firewall? If not, I suggest that you switch it on immediately. Windows XP Firewall is better than nothing, but it only protects against incoming traffic. It doesn't protect you against outgoing baddies trying to "phone home". I strongly suggest that you use one of the third-party ones. Sunbelt Personal Firewall and Outpost Firewall are both good and have a free version. I cannot stress how important it is that you use a firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can greatly lower your risk.

------------------------------------------------

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. It is likely that this is how Vundo got into your computer. The most current version of Sun Java is: Java Runtime Environment Version 6u2.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6u2
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------

I was just about to post the above, when you posted again:

One other thing, I keep running Spybot S&D and Smitfraud-C.CoreService keeps coming up and I am unable to remove those files...

Hmm... there's no sign of SmitFraud in you HijackThis log. Could you please let me know details of the files you mention and run the following:

SmitFraudFix (by S!Ri)
  • Please download SmitFraudFix from here and save it to your Desktop.
  • Double-click on Smitfraud.exe
  • Select option #1 - Search by typing 1 and press Enter - a text file will appear, which lists infected files (if present).
Do not run any of the other options at this stage.

Please copy/paste the content of the report (c:\rapport.txt) into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.

-----------------------------------------

Please run HijackThis again and post the following, as a reply to this thread:
  • The AVG Anti-Spyware report (if you are able to retrieve it)
  • The SmitFraudFix report (c:\rapport.txt)
  • A new HijackThis log
Edit: I've just seen your latest post. I still think that it would be a good idea to run SmitFraudFix, even though you managed to delete the files.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 12:03 pm

SmitFraudFix v2.206

Scan done at 11:57:45.10, Mon 07/23/2007
Run from C:\Documents and Settings\dns.CSDAVIDSONMS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dns.CSDAVIDSONMS


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DNS~1.CSD\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.20.4.5
DNS Server Search Order: 4.2.2.1

Description: Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.20.4.5
DNS Server Search Order: 24.104.0.34

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer=10.20.4.5,4.2.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E05BA90-A0C1-43B4-A80F-ACF0E77FDDE6}: DhcpNameServer=10.20.4.5 24.104.0.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer=10.20.4.5,4.2.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E05BA90-A0C1-43B4-A80F-ACF0E77FDDE6}: DhcpNameServer=10.20.4.5 24.104.0.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer=10.20.4.5,4.2.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.20.4.5 24.104.0.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.20.4.5 24.104.0.34


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:40 AM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8939 bytes



There was no report saved in AVG...In order to rescan, do I need to be in Safe Mode again????
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 12:35 pm

There was no report saved in AVG...In order to rescan, do I need to be in Safe Mode again????

No, you can run it in normal mode as it has already been run once. Please could you double-check the settings (which I will repeat for clarity). I suggest that you print these off and follow them step-by-step when running the program. Hopefully, we'll get a report this time. :lol:

AVG Anti-Spyware:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
Please check the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Please post the report as a reply to this thread. The SmitFraudFix report is clean. Please could you let me know what files Spybot found.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 12:54 pm

Ill do the AVG here in a second, I reran spybot and the following came up, although when I ran it a few minutes prior these things were not there....

Advertising.com
CasaleMedia
CoreMetrics
DoubleClick
Statcounter
Web Trends Live
Zedo

I have since fix all of these files found.

Are these just random spyware files that will keep coming in that I will need to scan every so often to get rid of??
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 1:16 pm

Those look like tracking cookies. They are not dangerous but it's best to keep them clear. AVG will clear these. I will give you some more advice regarding these later. Run the AVG scan, post the report and we'll have a look at what's there.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 2:02 pm

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:56:49 PM 7/23/2007

+ Scan result:



C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019958.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019957.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019953.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019955.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019956.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP202\A0019954.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\dns.CSDAVIDSONMS\Cookies\dns@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.72:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.12:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.13:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.14:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.15:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.16:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.18:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.19:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.20:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.33:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.34:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.35:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.36:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.22:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.37:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.38:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.39:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.40:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.41:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.10:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.11:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.42:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.6:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.7:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.8:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.9:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.43:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.44:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.46:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.47:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.48:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.52:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.53:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.54:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.55:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.56:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.57:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.58:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.59:C:\Documents and Settings\dns.CSDAVIDSONMS\Application Data\Mozilla\Firefox\Profiles\l8y8s2mw.d\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 2:58 pm

The AVG Anti-Spyware report is clean. The only items are some tracking cookies and some bad files in System Restore, which we will sort out later when we are sure that the computer is clean.

Are these just random spyware files that will keep coming in that I will need to scan every so often to get rid of??

Basically- yes. You can prevent a lot of tracking cookies from getting on your computer by installing SpywareBlaster. This program will:
  • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block a large number of spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
This program blocks these items but does not run in the background. It therefore does not use any resources. Make sure that you regularly check for updates.

Clear the cookies regularly by using either Spybot, ATF Cleaner or AVG Anti-Spyware. You can also set Firefox to only allow cookies for the session. When you close the browser, the cookies are deleted.

-------------------------------------------------

ComboFix by sUBs

I'm still a bit concerned about the Smitfraud-C.CoreService that Spybot found. Although you have removed the files and the SmitFraudFix scan came up clean, I would like to run another tool to check that everything is OK.
  • Download this file - ComboFix.exe
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

-------------------------------------------------

Please run another HijackThis scan and post the following:
  • The ComboFix log
  • A new HijackThis log
You haven't answered my question about firewalls. Have you got the Windows Firewall switched on?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 494 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware