|
|
|
sysprotect help
|
|
|
catebooth
Newbie
|
8. June 2007 @ 19:14 |
Link to this message
|
I'm receiving a ton of pop-ups which I now know is in relation to this ad-ware/trojan-type thing. Anyway I know I have to post my hijack log for someone to look at...so here it is and any help at this point would be greatly appreciated. I have trend micro pc-illian and webroot spyware, but I do know that I haven't updated my JAVA. Thanks again for any help as to which files to delete....
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:05:13 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003
O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files...ntrol_en_US.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1172435746921
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9572 bytes
|
|
Advertisement
|
|
|
|
|
bluecoal
Suspended due to non-functional email address
|
9. June 2007 @ 13:24 |
Link to this message
|
Hi catebooth
**)Please download vundofix to your desktop
http://www.atribune.org/content/view/24/2/
**) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop for later use.
**)Get a program called pocket killbox. You can find a download link for it here: http://forum.malwareremoval.com/viewtopic.php?t=320
After you download the file, also look over the instructions for deleting a file on reboot.
**) Temporarily disable spysweeper protection in case it interferes with fix efforts. You can scroll down this for instructions:
http://wiki.castlecops.com/Malware_Remov...toring_Programs
You can reenable these protections when you are done with the fixes.
**) We need to temporarily have hidden files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You can reverse these steps after the system is cleaned up.
**) Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
**) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Select the first 3 temp file lines.
Select the temporary internet files line.
Select the prefetch files line.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
**) Please run the ewido/AVG online scan:
http://www.ewido.net/en/onlinescan/
**) Open HijackThis and choose "Do a system scan only" then check the box in front of any of these line items that remain:
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll
O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003
O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files...ntrol_en_US.cab
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll
Close all programs but HjT and all browser windows, then click on "Fix Checked"
**) Use the malware removal guide instructions for deleting a file on reboot.
delete this file:
C:\WINDOWS\system32\uyirivdn.dll
Post the Vundofix report, the ewido report, and a new HjT log.
Thanks.
bc
This message has been edited since posting. Last time this message was edited on 11. June 2007 @ 09:11
|
|
catebooth
Newbie
|
11. June 2007 @ 16:48 |
Link to this message
|
Thanks so much for your help bluecoal...my computer seems to be working better already. Here are my logs, let me know what you think. I think I should update my JAVA too, right?
Thanks Again!
cate
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:39:47 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing)
O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1172435746921
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8990 bytes
Ewido:
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@doubleclick[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@msnportal.112.2o7[1].txt
Risk: Medium
Name: Adware.RogueSuspect
Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007
Risk: Medium
Name: Adware.RogueSuspect
Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007\Settings
Risk: Medium
Name: Not-A-Virus.Downloader.Win32.DigStream
Path: C:\Program Files\DIGStream\digstream.exe
Risk: Low
Name: Not-A-Virus.Downloader.Win32.WinFixer.x
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057624.exe
Risk: Low
Name: Adware.Companion
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057671.dll
Risk: Medium
Name: Adware.SystemDoctor
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057673.exe
Risk: Medium
Name: Not-A-Virus.Downloader.Win32.WinFixer.o
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057677.exe
Risk: Low
Name: Adware.Virtumonde
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061468.dll
Risk: Medium
Name: Adware.Virtumonde
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061471.dll
Risk: Medium
Name: Adware.Virtumonde
Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061473.dll
Risk: Medium
Name: Adware.Virtumonde
Path: C:\VundoFix Backups\cbxxuvs.dll.bad
Risk: Medium
Name: Adware.Virtumonde
Path: C:\VundoFix Backups\opnmjhg.dll.bad
Risk: Medium
Name: Adware.Virtumonde
Path: C:\VundoFix Backups\tuvvwwu.dll.bad
Risk: Medium
Name: Adware.ZenoSearch
Path: C:\WINDOWS\system32\nwinnndt.exe
Risk: Medium
Name: Downloader.VB.awj
Path: C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe
Risk: High
Vundofix:
VundoFix V6.5.0
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 6:31:54 PM 6/11/2007
Listing files found while scanning....
C:\windows\system32\cbxxuvs.dll
C:\windows\system32\fchyvbyj.dll
C:\windows\system32\ndviriyu.ini
C:\windows\system32\opnmjhg.dll
C:\windows\system32\ststv.bak1
C:\windows\system32\ststv.bak2
C:\windows\system32\ststv.ini
C:\windows\system32\ststv.ini2
C:\windows\system32\ststv.tmp
C:\windows\system32\tuvvwwu.dll
C:\windows\system32\uyirivdn.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\wbwdmdae.dll
Beginning removal...
Attempting to delete C:\windows\system32\cbxxuvs.dll
C:\windows\system32\cbxxuvs.dll Has been deleted!
Attempting to delete C:\windows\system32\fchyvbyj.dll
C:\windows\system32\fchyvbyj.dll Has been deleted!
Attempting to delete C:\windows\system32\ndviriyu.ini
C:\windows\system32\ndviriyu.ini Has been deleted!
Attempting to delete C:\windows\system32\opnmjhg.dll
C:\windows\system32\opnmjhg.dll Has been deleted!
Attempting to delete C:\windows\system32\ststv.bak1
C:\windows\system32\ststv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ststv.bak2
C:\windows\system32\ststv.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ststv.ini
C:\windows\system32\ststv.ini Has been deleted!
Attempting to delete C:\windows\system32\ststv.ini2
C:\windows\system32\ststv.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ststv.tmp
C:\windows\system32\ststv.tmp Has been deleted!
Attempting to delete C:\windows\system32\tuvvwwu.dll
C:\windows\system32\tuvvwwu.dll Has been deleted!
Attempting to delete C:\windows\system32\uyirivdn.dll
C:\windows\system32\uyirivdn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vtsts.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll
C:\WINDOWS\system32\wbwdmdae.dll Has been deleted!
Performing Repairs to the registry.
Done!
|
|
bluecoal
Suspended due to non-functional email address
|
12. June 2007 @ 07:26 |
Link to this message
|
There is still one file hanging on.
**) Please rename HijackThis.exe to catebooth.exe (or other name of your choice). Some problems are able to hide from HijackThis, and I would like to eliminate that as a consideration here.
**) Start vundofix.
Right click on the white space in the middle of the screen.
Click the add more file button.
Paste this path into the top line:
C:\WINDOWS\system32\aahicjdu.dll
Then click add files and close that window.
Then click the remove vundo button.
Let the program run and restart however many times it needs to.
**) Let the renamed HijackThis fix these lines:
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing)
O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing)
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing)
**) Check your add remove programs for this:
WinAntiVirus Pro 2007
and remove if present.
**) Did you have the ewido scan fix things? If not, you can run it again and have it fix the things it finds, except you can uncheck this one:
Name: Not-A-Virus.Downloader.Win32.DigStream
Path: C:\Program Files\DIGStream\digstream.exe
Risk: Low
**) As an additional check on things, please run this scanner:
http://www.kaspersky.com/virusscanner
It does not have an option to fix anything, it will just give a report.
It will probably show infected files in vundo backups and system restore files. Those are not a problem because they can be deleted later. We are looking for other infected files.
**) Please post the vundofix log, the Kaspersky scan log, and the new HijackThis log.
**) Yes you can update your java and uninstall the old versions.
bc
|
|
catebooth
Newbie
|
13. June 2007 @ 17:27 |
Link to this message
|
Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll"
There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again.
The virtumonde continues to be picked up by my spysweeper.
I did download the latest JAVA.
Here's my logs....
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:42:38 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Catie.CATE\Desktop\catebooth.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1172435746921
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8872 bytes
Wednesday, June 13, 2007 9:08:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 324606
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 15529
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:10:56
Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped
Scan process completed.
C:\windows\system32\opnmjhg.dll
C:\windows\system32\ststv.bak1
C:\windows\system32\ststv.bak2
C:\windows\system32\ststv.ini
C:\windows\system32\ststv.ini2
C:\windows\system32\ststv.tmp
C:\windows\system32\tuvvwwu.dll
C:\windows\system32\uyirivdn.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\wbwdmdae.dll
Beginning removal...
Attempting to delete C:\windows\system32\cbxxuvs.dll
C:\windows\system32\cbxxuvs.dll Has been deleted!
Attempting to delete C:\windows\system32\fchyvbyj.dll
C:\windows\system32\fchyvbyj.dll Has been deleted!
Attempting to delete C:\windows\system32\ndviriyu.ini
C:\windows\system32\ndviriyu.ini Has been deleted!
Attempting to delete C:\windows\system32\opnmjhg.dll
C:\windows\system32\opnmjhg.dll Has been deleted!
Attempting to delete C:\windows\system32\ststv.bak1
C:\windows\system32\ststv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ststv.bak2
C:\windows\system32\ststv.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ststv.ini
C:\windows\system32\ststv.ini Has been deleted!
Attempting to delete C:\windows\system32\ststv.ini2
C:\windows\system32\ststv.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ststv.tmp
C:\windows\system32\ststv.tmp Has been deleted!
Attempting to delete C:\windows\system32\tuvvwwu.dll
C:\windows\system32\tuvvwwu.dll Has been deleted!
Attempting to delete C:\windows\system32\uyirivdn.dll
C:\windows\system32\uyirivdn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vtsts.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll
C:\WINDOWS\system32\wbwdmdae.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aahicjdu.dll
C:\WINDOWS\system32\aahicjdu.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 9:18:52 PM 6/13/2007
Listing files found while scanning....
No infected files were found.
|
|
bluecoal
Suspended due to non-functional email address
|
14. June 2007 @ 06:29 |
Link to this message
|
My!
I have been looking at vundo logs to prepare myself for the next answers to you. Your response was unexpected because it describes situations which I have not seen in other logs/threads. I do not know exactly what to do next. Questions to help in understanding the situation.
**) Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll"
This is not a problem with the vundofix.
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
That line in the previous HjT log associates the file with virtumonde.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aahicjdu.dll
C:\WINDOWS\system32\aahicjdu.dll Has been deleted!
Performing Repairs to the registry.
Done!
That portion of the vundofix log indicates that the file has been deleted. The error loading message would indicate that something was still trying to call/load the dll file. Did the error message just happen one time, or does it continue to happen (ie if you shut down your computer now and then restarted it, does it give you that same message about being unable to load the dll file)?
**)
There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again.
Good.
**)
I did download the latest JAVA.
VundoFix V6.5.0
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 9:18:52 PM 6/13/2007
Listing files found while scanning....
No infected files were found.
This last section from the vundofix log indicates there are also still old versions of Java on the system.
Please go to your add/remove programs and look for items with Java Runtime Environment (JRE or J2SE) in the name. Remove the ones related to these two versions: Java version is 1.4.2.3; Java version is 1.5.0.3.
**)
The virtumonde continues to be picked up by my spysweeper.
This creates conflicting information which I do not know how to resolve. The HijackThis log appears to be clean. Vundofix is not finding any new issues. Kaspersky is not finding any vundo files. As I think about that, I am not sure what is going on there, because in previous logs I have worked, Kaspersky would flag the files in the C:\vundofix backup folder until they were deleted.
Did you rehide system and protected files?
Had you reenabled spysweeper protection when the last vundofix was run?
Do the spysweeper error messages give you specific file names and/or file locations that we can work with?
If spysweeper is seeing infected files that have already been cleaned in the vundofix backup folder or system restore, they are not a problem, because those files can be removed in final cleanup steps. If it is detecting files in Trend Micro?s quarantine folder, the same thing applies, they are cleaned files and can be deleted from the quarantine folder to make the error messages stop. If they are somewhere else, I need some name/location information to try to help you get them off the system.
bc
|
|
catebooth
Newbie
|
17. June 2007 @ 17:45 |
Link to this message
|
|
Sorry, my internet connection has been down...here's the latest I'm getting from my anti-virus, but nothing on spysweeper! What do you think?
Real-time Scan
Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.
Infected file: C:\vundofix backups\uyirivdn.dll.bad
Virus name: TROJ_VUNDO.ATO
User name: Catie
Scan action result: Quarantined.
Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.
Real-time Scan
Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.
Infected file: C:\vundofix backups\wbwdmdae.dll.bad
Virus name: TROJ_VUNDO.AE
User name: Catie
Scan action result: Quarantined.
Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.
Wednesday, June 13, 2007 9:08:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 324606
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 15529
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:10:56
Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped
C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped
Scan process completed.
|
|
bluecoal
Suspended due to non-functional email address
|
24. June 2007 @ 18:38 |
Link to this message
|
|
Hi,
Looks to me like the place it is finding things is in the c:\vundofix backup folder. You can delete the contents of that folder now.
|
|
catebooth
Newbie
|
25. June 2007 @ 09:58 |
Link to this message
|
|
Thanks, it seems to be working like it's old self again!
Thanks again for all of you help :-)
|
|
Advertisement
|
|
|
|
bluecoal
Suspended due to non-functional email address
|
26. June 2007 @ 05:37 |
Link to this message
|
|
|
|
