Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

thecoolpics.net - pllss.. help me...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

thecoolpics.net - pllss.. help me...

Unread postby sundara » July 14th, 2007, 11:42 am

I'm badly infected with this virus - thecoolpics.net. i've used trendmicro sysclean with latest pattern file also, sysclean is not healing or deleting the WORM_SOHANAD.CA.
pls find my log n pls help me....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:36 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\lsass.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\system32\mqtgsvc.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thecoolpics.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
F2 - REG:system.ini: Shell=explorer.exe E:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,E:\WINDOWS\system\lsass.exe
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - E:\WINDOWS\system32\ipnydgh.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [Agent] E:\WINDOWS\system32\alsys.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Agent] E:\WINDOWS\system32\alsys.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O4 - Global Startup: MSconfig.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6258 bytes
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » July 15th, 2007, 5:20 am

Hi sundara. :)

Welcome to Malware Removal Forum. My name is mayi and I will be helping you. As I am still an undergraduate, I will need my fixes checked before posting back to you. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby ndmmxiaomayi » July 15th, 2007, 7:31 am

Hi sundara,

Step 1

I don't see an antivirus program running in your log. It could be that you disabled it, or you don't have an antivirus at all.

If you have disabled it, please re-enable it back.

If you have no antivirus, please download ONE antivirus from one of the links below:

AVG Antivirus Free
AntiVir for Windows 2000 and Windows XP
avast! 4 Home Edition
Clamwin

Please print out or save this set instructions as you will be working in Safe Mode without internet connections.

Step 2

  1. Download SDFix by AndyManchesta and save it to your desktop.
  2. Double click on SDFix.exe. By default, it will install to C:\.
  3. Click on Install.

Step 3

Boot into Safe Mode.

  1. When you see BIOS screen, start pressing F8.
  2. A boot menu will appear shortly.
  3. Using the up down arrows, select Safe Mode and press the Enter key.
  4. Windows will now load.
  5. Log in to your usual account.

Step 4

  1. Navigate to E:\SDfix (if you installed it to the default location, otherwise, locate where you installed it)
  2. Double click on RunThis.bat
  3. Type Y to begin the cleanup process.
  4. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  5. Press any key to reboot.
  6. When the PC restarts the tool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  7. Once the desktop icons load, the SDFix report will open on screen. You can also find the report in SDFix folder, named Report.txt.

Step 5

  1. Open My Computer.
  2. Double click on your E drive.
  3. Right click on an empty space and select New > Folder. Type in BFU as the name of the folder and press Enter.

Step 6

Please download Brute Full Uninstaller by Merijn from one of these links:

From Castlecops
From DKnoppix
From Merijn
From Major Geeks

  1. Locate the bfu.zip that you've downloaded earlier.
  2. Right click on bfu.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. In the Files will be extracted to this directory: box, copy and paste in E:\BFU. Then click OK.
  5. Check (tick) the Show extracted files box.
  6. Right click here and select Save Link As... (In Internet Explorer it is Save Target As...). Save it to E:\BFU folder.
  7. Navigate to E:\BFU and double click on BFU.exe.
  8. In the Scriptfile to execute field, copy and paste this in: E:\BFU\coolpics.bfu
  9. Click on Execute.
  10. Once done, click OK and click on Exit.

In your next reply, please post:

  1. SDFix report
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

thanq

Unread postby sundara » July 16th, 2007, 6:15 am

hi ndmmxiaomayi,

thanx for ur guidance. pls find below sdfix report


SDFix: Version 1.91

Run by Administrator on Mon 07/16/2007 at 02:39 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: E:\SDFix

Safe Mode:
Checking Services:

Killing PID 288 'lsass.exe'
Killing PID 816 'lsass.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe - Deleted
E:\New Folder.exe - Deleted
E:\WINDOWS\lsass.exe - Deleted
E:\WINDOWS\system\lsass.exe - Deleted



Removing Temp Files...

ADS Check:

E:\WINDOWS
No streams found.

E:\WINDOWS\system32
No streams found.

E:\WINDOWS\system32\svchost.exe
No streams found.

E:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\Trillian\\trillian.exe"="E:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"E:\\Program Files\\Google\\Google Talk\\googletalk.exe"="E:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"E:\\Program Files\\UltraVNC\\winvnc.exe"="E:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\\WINDOWS\\TEMP\\win216.tmp.exe"="E:\\WINDOWS\\TEMP\\win216.tmp.exe:*:Enabled:win216.tmp"
"E:\\Program Files\\D-Link\\D-View\\5.1\\Bin\\dview51.exe"="E:\\Program Files\\D-Link\\D-View\\5.1\\Bin\\dview51.exe:*:Enabled:dview51"
"E:\\Program Files\\Skype\\Phone\\Skype.exe"="E:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\WINDOWS\\system32\\mqsvc.exe"="E:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"E:\\Program Files\\Messenger\\msmsgs.exe"="E:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"E:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winvaoufx.exe"="E:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winvaoufx.exe:*:Enabled:ipsec"
"E:\\Program Files\\Gaim\\gaim.exe"="E:\\Program Files\\Gaim\\gaim.exe:*:Enabled:ipsec"
"E:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winxdeff.exe"="E:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winxdeff.exe:*:Enabled:ipsec"
"E:\\Program Files\\FlashGet\\flashget.exe"="E:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\WINDOWS\\system32\\mqsvc.exe"="E:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"

Remaining Files:
---------------

Backups Folder: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes:

E:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
E:\Program Files\Picasa2\setup.exe
E:\Documents and Settings\Administrator\Desktop\system related\~WRL0071.tmp
E:\Documents and Settings\Administrator\Desktop\system related\~WRL2629.tmp
E:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
E:\vrr e\All folders\Copy of Stereonet final files\~WRL0569.tmp
E:\vrr e\All folders\Copy of Stereonet final files\~WRL4055.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0001.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0003.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0005.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0024.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0099.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0175.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL0394.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL1196.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL2430.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL3071.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL3102.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL3187.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL3211.tmp
E:\vrr e\All folders\Gelogy Photo-29.12.06\Kinam\~WRL3549.tmp
E:\vrr e\All folders\Kinam\~WRL0001.tmp
E:\vrr e\All folders\Kinam\~WRL0002.tmp
E:\vrr e\All folders\Kinam\~WRL0003.tmp
E:\vrr e\All folders\Kinam\~WRL0005.tmp
E:\vrr e\All folders\Kinam\~WRL0024.tmp
E:\vrr e\All folders\Kinam\~WRL0099.tmp
E:\vrr e\All folders\Kinam\~WRL0175.tmp
E:\vrr e\All folders\Kinam\~WRL0394.tmp
E:\vrr e\All folders\Kinam\~WRL1196.tmp
E:\vrr e\All folders\Kinam\~WRL2430.tmp
E:\vrr e\All folders\Kinam\~WRL3071.tmp
E:\vrr e\All folders\Kinam\~WRL3102.tmp
E:\vrr e\All folders\Kinam\~WRL3187.tmp
E:\vrr e\All folders\Kinam\~WRL3211.tmp
E:\vrr e\All folders\Kinam\~WRL3549.tmp
E:\vrr e\All folders\Stereonet final files\~WRL0569.tmp
E:\vrr e\All folders\Stereonet final files\~WRL4055.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\Chenab(Glance)\~WRL0216.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\Chenab(Glance)\~WRL1211.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0001.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0002.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0003.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0004.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0005.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0006.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0060.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL0970.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL1860.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL1901.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL2243.tmp
E:\vrr e\ETC File\krcl\BACKUP 14-11-06\UPKEEPING\~WRL3056.tmp
E:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for BiharSpecial.zip\Thumbs.db
E:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for voting_sys_in_us.zip\Thumbs.db

Finished


& below is lates HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:18 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\system32\mqtgsvc.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - E:\WINDOWS\system32\ipnydgh.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6372 bytes



now thecoolpics.net is not there in IE and Run command enabled
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby sundara » July 16th, 2007, 9:10 am

Oops!! once again the same the pls see HJT below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:15 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\WINDOWS\lsass.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\mqtgsvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Real\RealOne Player\RealPlay.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thecoolpics.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
F2 - REG:system.ini: Shell=explorer.exe E:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,E:\WINDOWS\system\lsass.exe
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - E:\WINDOWS\system32\ipnydgh.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O4 - Global Startup: MSconfig.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6871 bytes
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby ndmmxiaomayi » July 16th, 2007, 10:36 am

Hi sundara,

Please re-run Steps 2, 3, 4 and 6 in my previous post to you.

In addition, please do the following:

Please rename HijackThis.exe to dumb.exe by following the instructions below:

  1. Navigate to E:\Program Files\Trend Micro\HijackThis
  2. Right click on HijackThis.exe and select Rename.
  3. Type in dumb and press Enter.
  4. Double click on dumb to run it. Select Do a system scan and save a logfile. Please post back this log in your next reply.
Do not close HijackThis yet.

  1. Click on the Config... button at the bottom right hand corner.
  2. At the top, click on the Misc Tools button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post back this list in your next reply.

In your next reply, please post:

  1. SDFix report
  2. A new HijackThis log
  3. The uninstall list
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sundara » July 17th, 2007, 10:10 am

Hi,

There is auto created "New Folder (Microsoft Corp.) found in my PC. Whenever i hitting that Coolpics.net comes again. I've tried with Avast & AVG to remove this one, but both r helpless. Pls find below the reports

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:49 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\system32\mqtgsvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Trend Micro\HijackThis\dumb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - E:\WINDOWS\system32\ipnydgh.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6625 bytes

Uninstall list

7-Zip 4.47 beta
Ad-Aware 2007
Adobe Acrobat 6.0 - Tryout
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
avast! Antivirus
Citrix Presentation Server Client
Core FTP LE 1.3c
FlashGet 1.8.8.1009
Gaim (remove only)
Gtk+ Runtime Environment 2.10.11-1
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
InstallShield for Microsoft Visual C++ 6
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 11
Java(TM) SE Runtime Environment 6 Update 1
Kundli for Windows (Professional Edition)
L&H TTS3000 British English
Lernout & Hauspie TruVoice American English TTS Engine
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (2.0)
Mozilla Firefox (2.0.0.4)
Mozilla Thunderbird (2.0.0.4)
MSXML 4.0 SP2 (KB927978)
My digital Diary 3.2c
Nero OEM
Pdf995
Picasa 2
RealPlayer
Realtek AC'97 Audio
SeaMonkey (1.1.2)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
SHARP AR-M160/M205/5220 Series PCL/PS Printer Driver
Sharpdesk LT
Skype 3.1
Spybot - Search & Destroy 1.4
TheSage
UltraVNC v1.0.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinSCP 3.8.2
XMLinst
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby ndmmxiaomayi » July 17th, 2007, 1:33 pm

Hi sundara,

Please set your system to show hidden files and extensions.

Step 1

Show hidden files and folders
  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.
There is auto created "New Folder (Microsoft Corp.) found in my PC. Whenever i hitting that Coolpics.net comes again.

Select this folder icon, do not open it: New Folder. Does it have any extensions behind? Such as .exe or .dll ?

Step 2

  1. Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
  2. Double click VundoFix.exe to run it.
  3. Click the Scan for Vundo button.
  4. Once it's done scanning, click the Remove Vundo button.
  5. You will receive a prompt asking if you want to remove the files, click YES
  6. Once you click yes, your desktop will go blank as it starts removing Vundo.
  7. When completed, it will prompt that it will reboot your computer, click OK.
  8. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

In your next reply, please post:

  1. VundoFix report (C:\VundoFix.txt)
  2. A new HijackThis log
  3. Whether there is a file extension for the new folder found on your PC
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sundara » July 18th, 2007, 3:21 am

hi,

Even after running VundoFix i'm still finding New Folder.exe from my D: & boot.exe from my external disk. But VundoFix is not fixing any of these files.

Following is my latest HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:10 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\mqtgsvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
E:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
E:\Program Files\Trend Micro\HijackThis\dumb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - E:\WINDOWS\system32\ipnydgh.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6680 bytes
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby ndmmxiaomayi » July 18th, 2007, 5:29 am

Hi sundara, please post the VundoFix log (E:\VundoFix.txt)

Please also download Flash Disinfector by sUBs and save it to your desktop.

Plug in your external disk and hold down the Shift key so it doesn't auto run.

Double click on Flash_Disinfector.exe to run it. Your desktop will disappear for a while. Once the cleaning is done, click OK and your desktop will return.

If it doesn't appear, press Ctrl + Shift + Esc to bring up Task Manager.

Click on File > New Task (Run...). Copy and paste in explorer.exe and click OK.

Please uninstall Flashget as it's infected with spyware.

For a list of clean download managers, please see this article or here.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sundara » July 18th, 2007, 7:51 am

Hi Mayi,

Below is my VundoFix log


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:34:51 PM 7/18/2007

Listing files found while scanning....

No infected files were found.
--------------------------
I used Flash_disinfector also, i think i'm safe now.
Thanks for ur timely help.
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby ndmmxiaomayi » July 18th, 2007, 7:41 pm

Hi sundara,

  1. Please open VundoFix.
  2. In the blank white space above the Scan For Vundo and Remove Vundo buttons, right click and select Add more files?.
  3. Add in the following files:
    • E:\WINDOWS\system32\ipnydgh.dll
    • E:\WINDOWS\system32\sruusxm.dll
  4. Click Add Files, then Close Window.
  5. Click on Remove Vundo.
  6. You will receive a prompt asking if you want to remove the files, click YES.
  7. Once you click yes, your desktop will go blank as it starts removing Vundo.
  8. When completed, it will prompt that it will reboot your computer, click OK.
  9. Please post the contents of E:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

In your next reply, please post:

  1. VundoFix log (E:\VundoFix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sundara » July 21st, 2007, 9:53 am

Hi Mayi,

Pls find below my latest HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:55 PM, on 21/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\system32\mqtgsvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Trend Micro\HijackThis\dumb.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.183.*;afcons.in;afcons.com;192.168.157.*;10.0.0.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sruusxm.dll] E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Gtk+
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\Software\..\Telephony: DomainName = chenab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS1\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chenab
O17 - HKLM\System\CS2\Services\Tcpip\..\{62790E7F-B559-45A2-AB0F-F90506FD1355}: NameServer = 10.0.0.1,202.134.192.11
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5991 bytes


& VundoFix


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:27:42 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:34:51 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:40:11 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:42:31 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 3:57:19 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!
sundara
Active Member
 
Posts: 10
Joined: July 14th, 2007, 11:19 am
Location: Jammu

Unread postby ndmmxiaomayi » July 21st, 2007, 1:03 pm

Please download Combofix from Tech Support Forum or Bleeping Computer. Save it to your desktop.

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Note: Do not mouse click on Combofix while it is running. That may cause it to crash.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby ndmmxiaomayi » August 1st, 2007, 6:36 am

Hello sundara,

Are you still there?

If you have problems following the instructions, please let me know.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware