Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

re ask, seek, knock

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

re ask, seek, knock

Unread postby arworthington » September 20th, 2005, 6:08 pm

Winfixer, winantispyware, vipfares and morwillsearch - what a mess I'm in! Tried spybot, ad-aware and MS antispyware; but now need a more effective solution to these pests. Thanks.

Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 23:05:50, on 20/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Capture Express\capexp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\All Users\Documents\Downloaded files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {139FAF5F-7400-4DA9-8193-878A0BA82EED} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {13A38792-3CB4-406F-888A-636D33100DD5} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {18F073F2-4E64-4A54-9A3C-D4E97D545596} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {365C62AE-2803-4429-A5D0-BA99A8A54B57} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {4B54C1A8-11DB-4181-BFC3-E4C5B6E81CD7} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {5414AB0D-5330-4E6B-83D5-977D6EEF10C9} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {7D188E4E-C1C7-44A3-9BF8-7AA727B4D880} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {806B3C0A-A803-4322-807F-C4753BC4B9D1} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {811FBBAB-D02F-4955-946B-53C5312A0982} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {A53F9753-CEFB-4EB3-BE0A-F25462AE09D8} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B6851CE7-326F-428F-9862-6C931C19EA9B} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {BB70E9B9-8BAE-4982-A44E-A9ABA29744B2} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C3043CEC-B93A-4D22-BBE8-E3FA1C2DF5B1} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {CB0D4E9A-23CF-4DC5-8C82-C93E95FF3A2F} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {CFF1CAAD-CFF0-44CF-8B97-BFEA77934426} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {D4BC90BE-E69F-4C49-B712-6FB9F2D4673F} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {E4E7AFBD-0439-4EF8-A2F6-F9E0DC70356C} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: MSEvents Object - {F1F0CABC-8644-4D74-99BF-ABF6DD646859} - C:\WINDOWS\system\COLOR\unjava.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {F78C8770-B052-434C-AE4E-C7B1C6EB22B2} - C:\WINDOWS\system32\siqwadeq.dll
O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {FB14B437-35CD-4624-974E-BF1CBC2D463C} - C:\WINDOWS\system32\siqwadeq.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
O4 - Global Startup: Capture Express.lnk = C:\Program Files\Capture Express\capexp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6973647335
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinkt ... adCtrl.cab
O20 - Winlogon Notify: avw2 - c:\windows\system32\avw2.dll
O20 - Winlogon Notify: unjava - C:\WINDOWS\system\COLOR\unjava.dll
O23 - Service: CWShredder Service - Unknown owner - C:\unzipped\CWShredder\CWShredder.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
arworthington
Active Member
 
Posts: 5
Joined: September 20th, 2005, 5:55 pm
Advertisement
Register to Remove

Unread postby NikkJ » September 21st, 2005, 6:44 am

Hi arworthington

There are some items in your HJT log that need attention
    Please read these instructions carefully. You may wish to print them out for reference.
    If you do not understand ANYTHING please ask for clarification before starting.
    Do not run any other programs while you carry out this fix.

    Let each process run to completion before starting the next
    Please download the following programs:
    Note: don't run them yet! There is an order we need to follow
      • Download CCleaner and install, but do not run it yet.

      • Please download, install and update Ewido trojan scanner:
        • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
        • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
        • From the main Ewido screen, click on update in the left menu, then click the Start update button.
        • After the update finishes (the status bar at the bottom will display "Update successful") close Ewido. You will run it later during the cleanup process.
        • Please set your system to show all files
        • Click Start.
        • Open My Computer
        • SelectTools menu
        • Click Folder Options.
        • Select the View Tab.
        • Select Show hidden files and foldersin the Hidden files and folders section.
        • Uncheck Hide protected operating system files (recommended) option.
        • Uncheck the Hide file extensions for known file types option.
        • Click Yes.
        • Click OK.
      • Run HiJackThis and do a Scan Only. Put a check in box on each of these lines:

        F3 - REG:win.ini: run=
        O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {139FAF5F-7400-4DA9-8193-878A0BA82EED} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {13A38792-3CB4-406F-888A-636D33100DD5} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {18F073F2-4E64-4A54-9A3C-D4E97D545596} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {365C62AE-2803-4429-A5D0-BA99A8A54B57} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {4B54C1A8-11DB-4181-BFC3-E4C5B6E81CD7} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {5414AB0D-5330-4E6B-83D5-977D6EEF10C9} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {7D188E4E-C1C7-44A3-9BF8-7AA727B4D880} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {806B3C0A-A803-4322-807F-C4753BC4B9D1} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {811FBBAB-D02F-4955-946B-53C5312A0982} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {A53F9753-CEFB-4EB3-BE0A-F25462AE09D8} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B6851CE7-326F-428F-9862-6C931C19EA9B} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {BB70E9B9-8BAE-4982-A44E-A9ABA29744B2} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C3043CEC-B93A-4D22-BBE8-E3FA1C2DF5B1} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {CB0D4E9A-23CF-4DC5-8C82-C93E95FF3A2F} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {CFF1CAAD-CFF0-44CF-8B97-BFEA77934426} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {D4BC90BE-E69F-4C49-B712-6FB9F2D4673F} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {E4E7AFBD-0439-4EF8-A2F6-F9E0DC70356C} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: MSEvents Object - {F1F0CABC-8644-4D74-99BF-ABF6DD646859} - C:\WINDOWS\system\COLOR\unjava.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {F78C8770-B052-434C-AE4E-C7B1C6EB22B2} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {FB14B437-35CD-4624-974E-BF1CBC2D463C} - C:\WINDOWS\system32\siqwadeq.dll
        O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
        O15 - Trusted Zone: *.coolwebsearch.com
        O15 - Trusted Zone: *.searchmeup.com


        Close all other open windows and Click on Fix Checked and then exit HijackThis.
      • Reboot into Safe Mode

        • To start Windows XP in Safe mode
        • Restart the computer.
        • Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
        • As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
        • If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
        • Using the arrow keys on the keyboard, select Safe mode and hit enter.

        Using Windows Explorer, locate the following files/folders, and delete them:

        C:\WINDOWS\system32\siqwadeq.dll
        C:\WINDOWS\system32\qedawqis.dll
        C:\WINDOWS\system\COLOR\unjava.dll

        Exit Explorer
      • Please run Ewido, and run a full scan. Save the logfile from the scan
      • Post the results back here

    Now, run CCleaner.
    • Uncheck "Cookies" under "Internet Explorer".
    • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.


    Post back a fresh HijackThis log and the ewido log so that we can take look at them.

    Nick
    User avatar
    NikkJ
    MRU Honors Grad Emeritus
     
    Posts: 413
    Joined: June 16th, 2005, 12:26 pm
    Location: London

    Unread postby arworthington » September 26th, 2005, 6:11 pm

    Thanks for your help.

    Completed tasks you identified and posted logs below. Files
    C:\WINDOWS\system32\qedawqis.dll
    C:\WINDOWS\system\COLOR\unjava.dll
    did not exist.

    'Winantispyware' web page appeared when logging onto this site.

    Roger

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 20:19:38, 26/09/2005
    + Report-Checksum: 34942B1C

    + Scan result:

    C:\_RESTORE\ARCHIVE\FS2633.CAB/A0317053.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS2634.CAB/W0460529.CPY -> TrojanDownloader.FunWeb.a : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS2890.CAB/A0340761.CPY -> Spyware.WildTangent : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3078.CAB/W0524929.CPY -> TrojanDownloader.FunWeb.a : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3077.CAB/A0391239.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3077.CAB/A0391244.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3077.CAB/A0391245.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3077.CAB/A0391249.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3786.CAB/A0466951.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3786.CAB/A0466959.CPY -> Spyware.MyWebSearch : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3913.CAB/A0476520.CPY -> Spyware.180Solutions : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3913.CAB/A0476526.CPY -> Spyware.180Solutions : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3913.CAB/A0476529.CPY -> Spyware.180Solutions : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3913.CAB/A0476530.CPY -> Spyware.180Solutions : Cleaned with backup
    C:\_RESTORE\ARCHIVE\FS3913.CAB/A0476534.CPY -> Spyware.180Solutions : Cleaned with backup
    C:\FOUND.004\FILE0090.CHK -> Spyware.Wesbar : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP97\A0020006.dll -> TrojanDownloader.ConHook.c : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP99\A0021536.exe -> Spyware.Trymedia : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP99\A0021538.exe -> Spyware.Trymedia : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP99\A0021539.exe -> Spyware.Trymedia : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP99\A0021540.exe -> Spyware.Trymedia : Cleaned with backup
    C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP99\A0021541.exe -> Spyware.Trymedia : Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 20:24:14, on 26/09/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    C:\Program Files\Capture Express\capexp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\All Users\Documents\Downloaded files\Hijack this\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {3C8BFD71-E671-4832-96E9-E2FC4DEF1B40} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {67390338-B147-43BC-B529-8BE551015FC3} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {6DD8E0F1-7C5F-4E00-8160-878C0FE0808A} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {6E084711-A63B-405B-A271-0F4D5CE3F438} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {A9DA22D4-9359-43AC-BB61-7CCC162B8BE5} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B868E8A3-9A95-4B86-B0CF-BE785017C206} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B905C195-CD1A-4AE9-9842-52270EF0703C} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B9E7B923-702E-4F63-AE41-DEAC1FA543DC} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {BFF136AB-3278-438E-AC62-112981216887} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C008C2A8-A869-4851-9C1F-36F251DB25A9} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C965DB4B-3722-491D-8C5F-1E9AA456C338} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {DC12ECC3-B8EE-4359-96F5-A49C6C770E20} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {ECBF8C17-09CA-46AC-912E-2B567D5C9D2D} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {EEA366CB-497D-41DF-8567-D2E8BC4F0AD9} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O2 - BHO: MSEvents Object - {F1F0CABC-8644-4D74-99BF-ABF6DD646859} - C:\WINDOWS\system\COLOR\unjava.dll
    O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {F258DEFC-07A5-4149-AC97-C2493682DDC4} - C:\WINDOWS\system32\siqwadeq.dll (file missing)
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
    O4 - Global Startup: Capture Express.lnk = C:\Program Files\Capture Express\capexp.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6973647335
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
    O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinkt ... adCtrl.cab
    O20 - Winlogon Notify: avw2 - c:\windows\system32\avw2.dll
    O20 - Winlogon Notify: unjava - C:\WINDOWS\system\COLOR\unjava.dll
    O23 - Service: CWShredder Service - Unknown owner - C:\unzipped\CWShredder\CWShredder.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    arworthington
    Active Member
     
    Posts: 5
    Joined: September 20th, 2005, 5:55 pm

    Unread postby NikkJ » September 27th, 2005, 7:09 am

    So far so good. :thumbright:

    We need to disable Microsoft AntiSpyware Real-time Protection during this process


    1. Open Microsoft AntiSpyware.
    2. Click Tools
    3. Click Settings.
    4. Click Real-time Protection.
    5. Uncheck Enable the Microsoft AntiSpyware Security Agents on startup recommended).
    6. Uncheck Enable real-time spyware threat protection (recommended).
    7. Click Save
    8. Close Microsoft AntiSpyware.
    9. Right click the Microsoft AntiSpyware icon on the taskbar
    10. Shutdown Microsoft AntiSpyware.

    Don't forget to re-start Microsoft AntiSpyware when your machine is clean and undo the changes above.

    Please print these instructions out for use in Safe Mode.
    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at.
      it should look like this
      [color=blue]VundoFix V2.1 by Atri
      By using VundoFix you agree that you are doing so at your own risk
      This list of forums is provided as an example of where to go to obtain help!!
      http://www.atribune.org/forums
      http://www.247fixes.com/forums
      http://www.geekstogo.com/forum
      http://forums.net-integration.net
      http://castlecops.com/forums.html
      http://www.besttechie.net/forums
      Press enter to continue....

    • At this point press enter one time.
    • Next you will see:
      Type in the filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    • At this point please type the following file path (make sure to enter it exactly as below!):
        C:\WINDOWS\system\COLOR\unjava.dll
    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • Next you will see:
      Please type in the second filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    • At this point please type the following file path (make sure to enter it exactly as below!):
        C:\WINDOWS\system\COLOR\avajnu.dll
    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • The fix will run then HijackThis will open.
    • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {3C8BFD71-E671-4832-96E9-E2FC4DEF1B40} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {67390338-B147-43BC-B529-8BE551015FC3} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {6DD8E0F1-7C5F-4E00-8160-878C0FE0808A} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {6E084711-A63B-405B-A271-0F4D5CE3F438} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {A9DA22D4-9359-43AC-BB61-7CCC162B8BE5} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B868E8A3-9A95-4B86-B0CF-BE785017C206} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B905C195-CD1A-4AE9-9842-52270EF0703C} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {B9E7B923-702E-4F63-AE41-DEAC1FA543DC} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {BFF136AB-3278-438E-AC62-112981216887} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C008C2A8-A869-4851-9C1F-36F251DB25A9} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {C965DB4B-3722-491D-8C5F-1E9AA456C338} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {DC12ECC3-B8EE-4359-96F5-A49C6C770E20} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {ECBF8C17-09CA-46AC-912E-2B567D5C9D2D} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {EEA366CB-497D-41DF-8567-D2E8BC4F0AD9} - C:\WINDOWS\system32\siqwadeq.dll
        O2 - BHO: C:\WINDOWS\system32\siqwadeq.dll - {F258DEFC-07A5-4149-AC97-C2493682DDC4} - C:\WINDOWS\system32\siqwadeq.dll
        O20 - Winlogon Notify: avw2 - c:\windows\system32\avw2.dll
        O20 - Winlogon Notify: unjava - C:\WINDOWS\system\COLOR\unjava.dll

    • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    • Once your machine reboots please continue with the instructions below.
      Use Explore to find and delete:
      c:\windows\system32\avw2.dll
    Download and install CleanUp!
    Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
    Set the program up as follows:
    Click "Options..."
    Move the arrow down to "Custom CleanUp!"
    Put a check next to the following (Make sure nothing else is checked!):

    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    Click OK
    Press the CleanUp! button to start the program.

    It may ask you to reboot at the end, click NO.

    Then, please run this online virus scan: ActiveScan

    Don't forget to re-start Microsoft AntiSpyware .
    User avatar
    NikkJ
    MRU Honors Grad Emeritus
     
    Posts: 413
    Joined: June 16th, 2005, 12:26 pm
    Location: London

    Unread postby arworthington » September 27th, 2005, 5:48 pm

    Nick,

    Completed second task list. Panda online scan reported nothing.
    Anything else?

    Roger
    arworthington
    Active Member
     
    Posts: 5
    Joined: September 20th, 2005, 5:55 pm

    Unread postby NikkJ » September 28th, 2005, 2:36 am

    Glad to hear that everything went OK.
    Are still having any problems with the popups/rogue screens ?

    Please post a new HiJackThis log for me to check and also the vundofix.txt file from the vundofix folder, I forgot to ask for them :oops:

    Nick
    User avatar
    NikkJ
    MRU Honors Grad Emeritus
     
    Posts: 413
    Joined: June 16th, 2005, 12:26 pm
    Location: London

    Unread postby arworthington » September 28th, 2005, 6:17 pm

    Nick,

    Seems to have stopped pop ups. Log files from Hijack this and .txt file from Vindufix (hope I got this bit right). I've also included a pccillin report and Ewido report in case these are of help.

    Thanks again,

    Roger


    Real-time Scan Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

    Infected file: C:\System Volume Information\_restore{5BD03CB0-CD91-42AE-8A56-088E78F544B4}\RP105\A0022265.exe
    Virus name: ADW_LOP.AE
    User name: Roger
    Scan action result: Denied Access.
    Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.


    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 23:09:03, 28/09/2005
    + Report-Checksum: B9916E7E

    + Scan result:

    C:\Documents and Settings\Roger\Cookies\roger@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Roger\Cookies\roger@thomascook.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 22:09:13, on 28/09/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Documents\Downloaded files\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: MSEvents Object - {F1F0CABC-8644-4D74-99BF-ABF6DD646859} - C:\WINDOWS\system\COLOR\unjava.dll (file missing)
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6973647335
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
    O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinkt ... adCtrl.cab
    O23 - Service: CWShredder Service - Unknown owner - C:\unzipped\CWShredder\CWShredder.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    VundoFix V2.1
    By Atri

    http://www.atribune.org

    This fix is for 2K and Xp machines only.

    For 9x/ME machine please use dos to remove vundo

    New version Release date September 1, 2005

    2.12 added messaging for the missing process.exe
    2.13 removed forum list
    arworthington
    Active Member
     
    Posts: 5
    Joined: September 20th, 2005, 5:55 pm

    Unread postby NikkJ » September 29th, 2005, 3:04 am

    Hi It looks like we're almost there!!

    • Run HijackThis and run a scan only. Place a check against each of the following lines:

      O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
      O2 - BHO: MSEvents Object - {F1F0CABC-8644-4D74-99BF-ABF6DD646859} - C:\WINDOWS\system\COLOR\unjava.dll (file missing)


      Close all other open windows and click on Fix Checked when finished and exit HijackThis.

      Uninstall Ewido and CWShredder using Windows "Add or Remove Programs"
    • Now, run CCleaner.
      • Uncheck "Cookies" under "Internet Explorer".
      • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

    Reboot and Post back a fresh HijackThis log and we will take another look.

    Nick
    User avatar
    NikkJ
    MRU Honors Grad Emeritus
     
    Posts: 413
    Joined: June 16th, 2005, 12:26 pm
    Location: London

    Unread postby arworthington » September 29th, 2005, 4:42 pm

    Thanks again.

    Logfile of HijackThis v1.99.1
    Scan saved at 21:28:35, on 29/09/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\All Users\Documents\Downloaded files\Hijack this\HijackThis.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6973647335
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
    O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinkt ... adCtrl.cab
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    arworthington
    Active Member
     
    Posts: 5
    Joined: September 20th, 2005, 5:55 pm

    Unread postby NikkJ » September 29th, 2005, 5:16 pm

    Hi there arworthington :hello2:

    Your log looks clean now .

    Here is my standard information in this situation. Please read it and use the parts that apply to you (although I think you have it all covered ;) ) :-


    You can read more this useful article: How I got Infected in the First Place.


    Good luck

    Nick
    User avatar
    NikkJ
    MRU Honors Grad Emeritus
     
    Posts: 413
    Joined: June 16th, 2005, 12:26 pm
    Location: London

    Unread postby NonSuch » October 13th, 2005, 7:32 am

    Glad we could be of assistance.

    This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

    You can help support this site from this link :
    Donations For Malware Removal

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
    User avatar
    NonSuch
    Administrator
    Administrator
     
    Posts: 28747
    Joined: February 23rd, 2005, 7:08 am
    Location: California
    Advertisement
    Register to Remove


    • Similar Topics
      Replies
      Views
      Last post

    Return to Infected? Virus, malware, adware, ransomware, oh my!



    Who is online

    Users browsing this forum: No registered users and 292 guests

    Contact us:

    Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

    Member site: UNITE Against Malware