Results 1 to 10 of 25

Thread: My Computer Slows Down after 15 Minutes

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    14

    Default My Computer Slows Down after 15 Minutes

    As said in the title, my computer seems to slow down a lot after about 15 minutes of activity.

    I currently have Ad-Aware, ZoneAlarm, AVG Free Edition, Spybot- Search & Destroy, and VirusScan On-Access Scan (which I believe is McAfee), CWshredder, and VundoFix.

    I have tried scanning my computer in safemode to delete all of the viruses, but for some reason, they keep coming back. From looking at the logfile, is there anything that you guys can tell that is slowing down my computer?

    Here is a list of the viruses that were located by the scanners: Trojan Horse Backdoor.Hupigon3.MRB in C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll and in C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261
    61F211}\RP1\A0000153.dll, a vundo that put itself into C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW (could not be deleted), a vundo that put itself into C:\windows\system32\ljjjihh.dll (also could not be deleted). I manually deleted the 2 vundo files, but I feel like they are still around.

    Here is the Kaspersky Scan:
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, December 02, 2007 3:03:12 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 2/12/2007
    Kaspersky Anti-Virus database records: 470122
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 68554
    Number of viruses found: 3
    Number of infected objects: 10
    Number of suspicious objects: 0
    Duration of the scan process: 05:24:58

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_D6GBP9B1.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_D6GBP9B1.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\6.0\20\1b0842d4-17651d3e/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\6.0\20\1b0842d4-17651d3e ZIP: infected - 1 skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-17424a57/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-17424a57 ZIP: infected - 1 skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4a5d57d0-5cd4b894.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4a5d57d0-5cd4b894.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4ef9c0ab.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Phillip\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4ef9c0ab.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\Phillip\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\History\History.IE5\MSHist012007120120071202\index.dat Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Phillip\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Phillip\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll Object is locked skipped
    C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
    C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Internet Logs\D6GBP9B1.ldb Object is locked skipped
    C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\ZLT01245.TMP Object is locked skipped
    C:\WINDOWS\Temp\ZLT06abb.TMP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

  2. #2
    Junior Member
    Join Date
    Dec 2007
    Posts
    14

    Default

    Here is the HiJack This log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:14:40 AM, on 12/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINDOWS\system32\ljjjihh.dll (file missing)
    O2 - BHO: (no name) - {4863778A-AF30-4C26-ADE5-688A113D06B6} - C:\WINDOWS\system32\ddayy.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.16\ilikesidebar.exe /checkforupdate
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingB9671] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingB5574] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingD2414] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SpybotDeletingB9671] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" (User 'Default user')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 0: (no name) - https://vistaweb.cc.nd.edu/webct/images/org_page.gif

    --
    End of file - 11123 bytes

    Thanks gus.

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I am not 100% sure what is going on here, it looks like a Vundo infection and I can not tell if it is gone or not? I can tell you this if you want help. A Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully. The junk will download more, keep your computer offline except when troubleshooting.


    1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
    http://service1.symantec.com/SUPPORT...00031316555206
    "Microsoft recommends that you have only one anti-virus program installed on your computer."
    http://www.washingtonpost.com/wp-dyn...120300087.html
    http://www.smartcomputing.com/editor...8s07/38s07.asp

    C:\Program Files\Network Associates\VirusScan\
    C:\PROGRA~1\Grisoft\AVG7\

    Uninstall one of those before you post the next HJT log.

    2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
    http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
    http://www.spywareinfo.com/newslette....php#viewpoint
    http://www.clickz.com/news/article.php/3561546

    3) You are running System Configuration Utility (MSConfig) in Selective Startup mode and I have no idea if malware is turned off. Return it to Normal mode.

    Post a new HJT log, describe your symptoms and tell me about any error messages you receive "word for word"

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    14

    Default

    Here is the new log (without the internet running, not sure if that makes a difference):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:39:01 AM, on 12/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINDOWS\system32\ljjjihh.dll (file missing)
    O2 - BHO: (no name) - {4863778A-AF30-4C26-ADE5-688A113D06B6} - C:\WINDOWS\system32\ddayy.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.16\ilikesidebar.exe /checkforupdate
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingB9671] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingB5574] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingD2414] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SpybotDeletingB9671] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" (User 'Default user')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 0: (no name) - https://vistaweb.cc.nd.edu/webct/images/org_page.gif

    --
    End of file - 9879 bytes

    I noticed in that logfile that dday.dll and ljjjihh.dll are listed as processes. I deleted the files a week or 2 ago, so I am assuming they are no longer threats.

    One thing I noticed was that before I uninstalled and removed all viewpoint folders, there were spyware files named delb.tmp, delc.tmp, and deld.tmp. After the uninstallation, they seemed to be gone, but I am not certain.

    Still, the AVG scanner is picking up Wab64.dll in C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll. I looked in the "Speech" folder, but it doesn't seem to be present.

    I was told by someone to disable system restore in order to remove the vundo about 2 weeks ago and to try to remove the vundo using "Vundofix." So, it has been disabled, and as mentioned earlier, the system restore files have been infected by the same backdoor virus "Trojan Horse Backdoor.Hupigon3.MRB" at C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261
    61F211}\RP1\A0000153.dll. I was wondering if I should enable it again.

    Thanks again.

  5. #5
    Junior Member
    Join Date
    Dec 2007
    Posts
    14

    Default

    Also, with the internet off, the computer usage is no longer peaked at 100%; it is now around 3-22% with the "Disk Defragmenter" running.

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the feedback, I will comment but first want to point out that I told you this would not be easy, be patient, it will take some time. Besides that, if you will take the time to read and follow all directions carefully, we will do well.

    1) The junk morphs and recreates itself, once we kill the source, that will stop.

    2) Viewpoint is junk and a resource waster but has nothing to do with this infection.

    3) "AVG scanner", means you must have chosen free AVG, I run it myself. Good it is finding the junk, means it is working. Some junk turns of your AV.

    4) Unlikely, but in a major emergency, System Restore might be needed and a bad backup is better than none, do not turn it off.
    When you turned it of all System Restore files were purged, the files will be clean when you turn them on.

    5) Because the junk downloads more, stay off the internet except when you are troubleshooting.

    6) If you have either of these tools on the computer, delete them and download then new from the links I provide.

    7) Thanks to Atribune and any others who helped with this fix.

    http://vundofix.atribune.org/ <<< tutorial

    "Download VundoFix" to your Desktop

    http://www.atribune.org/ccount/click.php?id=4

    Double-click VundoFix.exe to run it.
    When VundoFix opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
    the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

    (wait until you finish to post reports and logs)

    8) Thanks to sUBs and anyone else who helped with this fix.

    Download ComboFix from Here or Here to your Desktop
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the Vundofix.txt, combofix log and a new HJT log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  7. #7
    Junior Member
    Join Date
    Dec 2007
    Posts
    14

    Default

    ComboFix 07-12-02.7 - Phillip 2007-12-06 22:35:54.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.538 [GMT -5:00]
    Running from: C:\Documents and Settings\Phillip\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
    .

    2007-12-01 21:04 . 2007-12-01 21:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-01 21:04 . 2007-12-01 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-30 22:10 . 2007-11-30 22:10 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
    2007-11-30 20:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2007-11-29 22:40 . 2007-11-29 22:40 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-29 22:22 . 2007-11-29 22:22 <DIR> d-------- C:\Deckard
    2007-11-29 00:59 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-11-28 13:58 . 2007-11-30 20:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
    2007-11-28 13:47 . 2007-12-06 08:02 <DIR> d-------- C:\Documents and Settings\Phillip\Application Data\AVG7
    2007-11-28 13:47 . 2007-11-28 13:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-11-28 13:46 . 2007-11-28 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-28 13:46 . 2007-11-28 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-28 10:34 . 2007-12-06 22:40 8,554,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-28 10:34 . 2007-12-06 22:39 101,276 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-28 10:31 . 2007-11-28 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-11-28 10:31 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2007-11-28 10:31 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2007-11-28 10:31 . 2007-11-28 10:33 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2007-11-27 12:26 . 2007-11-27 12:26 <DIR> d-------- C:\Program Files\iLike
    2007-11-24 03:38 . 2007-11-24 17:35 702 --ahs---- C:\WINDOWS\system32\yyadd.ini2
    2007-11-24 03:38 . 2007-11-24 17:35 702 --ahs---- C:\WINDOWS\system32\yyadd.ini
    2007-11-23 20:40 . 2007-11-24 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
    2007-11-23 20:39 . 2007-11-23 20:44 <DIR> d-------- C:\Temp
    2007-11-23 20:02 . 2007-12-06 01:01 <DIR> d-------- C:\VundoFix Backups
    2007-11-23 18:22 . 2007-11-23 18:22 84 --a------ C:\WINDOWS\hw.ini
    2007-11-23 15:06 . 2007-11-24 17:47 <DIR> d-------- C:\quarantine
    2007-11-21 19:47 . 2007-11-21 19:51 139,264 --a------ C:\WINDOWS\War3Unin.exe
    2007-11-21 19:47 . 2007-11-21 19:52 76,014 --a------ C:\WINDOWS\War3Unin.dat
    2007-11-21 19:47 . 2007-11-21 19:51 2,829 --a------ C:\WINDOWS\War3Unin.pif
    2007-11-21 19:45 . 2007-12-06 02:35 <DIR> d-------- C:\Program Files\Warcraft III
    2007-11-21 05:07 . 2007-11-21 05:07 <DIR> d-------- C:\Program Files\DivX
    2007-11-14 17:24 . 2007-11-14 17:24 <DIR> d-------- C:\Program Files\DVD Shrink
    2007-11-14 17:24 . 2007-11-14 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2007-11-14 13:41 . 2007-11-14 17:27 <DIR> d-------- C:\E2938
    2007-11-14 13:41 . 2007-11-14 13:41 <DIR> d-------- C:\Documents and Settings\Phillip\Application Data\CyberLink
    2007-11-14 01:25 . 2007-11-14 01:25 <DIR> d-------- C:\Program Files\DVD Decrypter
    2007-11-12 22:24 . 2007-11-27 12:26 <DIR> d-------- C:\Program Files\iTunes
    2007-11-12 22:23 . 2007-11-13 21:44 <DIR> d-------- C:\Program Files\QuickTime
    2007-11-12 20:59 . 2007-11-12 20:59 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
    2007-11-12 20:58 . 2007-11-12 20:58 <DIR> d-------- C:\Program Files\MSECACHE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-07 03:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-12-06 05:07 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Wave Systems Corp
    2007-12-06 04:05 --------- d-----w C:\Program Files\Common Files\Network Associates
    2007-12-06 03:57 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Viewpoint
    2007-12-06 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-12-01 02:07 --------- d-----w C:\Program Files\Windows Desktop Search
    2007-12-01 01:35 --------- d-----w C:\Program Files\Java
    2007-11-28 14:45 --------- d-----w C:\Program Files\Hero Editor
    2007-11-26 16:08 --------- d-----w C:\Program Files\Conquer 2.0
    2007-11-13 03:11 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Apple Computer
    2007-11-13 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-11-09 19:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-09 04:51 --------- d-----w C:\Program Files\iPod
    2007-11-06 03:17 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Winamp
    2007-11-06 03:11 --------- d-----w C:\Program Files\Winamp
    2007-11-04 05:11 --------- d-----w C:\Documents and Settings\Phillip\Application Data\InstallShield
    2007-10-31 18:12 --------- d-----w C:\Documents and Settings\Phillip\Application Data\gtk-2.0
    2007-10-26 14:28 --------- d-----w C:\Program Files\Diablo II
    2007-10-26 00:43 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2007-10-26 00:43 249,856 ------w C:\WINDOWS\Setup1.exe
    2007-10-25 23:20 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
    2007-10-25 17:33 --------- d-----w C:\Program Files\MSN Messenger
    2007-10-19 04:34 --------- d-----w C:\Program Files\BreakPoint Software
    2007-10-19 04:27 --------- d-----w C:\Program Files\HHD Software
    2007-10-19 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\HHD Software
    2006-09-07 03:39 8 -c-h--w C:\Program Files\.drv120405.dat
    2006-09-07 03:39 8 -c-h--w C:\Program Files\.data211204.dat
    2006-09-07 03:39 8 -c-h--w C:\Program Files\.data211004.dat
    2006-09-07 03:39 8 -c-h--w C:\Program Files\.dat000001.dat
    2006-09-07 03:39 8 -c-h--w C:\Documents and Settings\Phillip\Application Data\.drv190904.dat
    2006-09-07 03:39 8 -c-h--w C:\Documents and Settings\Phillip\Application Data\.data001.dat
    2006-09-07 03:39 8 -c-h--w C:\Documents and Settings\Phillip\Application Data\.app190905.dat
    2006-09-07 03:39 8 -c-h--w C:\Documents and Settings\Phillip\Application Data\.addit001.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4863778A-AF30-4C26-ADE5-688A113D06B6}]
    C:\WINDOWS\system32\ddayy.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 17:13]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
    "iLike"="C:\Program Files\iLike\1.1.16\ilikesidebar.exe" [2007-09-13 11:34]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 19:13]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 23:44]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 23:41]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 23:45]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 15:08]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 C:\WINDOWS\stsystra.exe]
    "Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 12:26]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 14:58]
    "BuildBU"="c:\dell\bldbubg.exe" [2006-07-06 13:58]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
    "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-28 13:46]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 00:28]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-28 13:46]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB9671"="command /c del C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" []
    "SpybotDeletingD239"="cmd /c del C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted_old" []
    "SpybotDeletingB1617"="command /c del C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL_tobedeleted_old" []
    "SpybotDeletingD4684"="cmd /c del C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL_tobedeleted_old" []
    "SpybotDeletingB5574"="command /c del C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" []
    "SpybotDeletingD2414"="cmd /c del C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted_old" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-06 14:19:39]
    EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 09:39:02]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=wxvault.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys
    R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
    S2 NetCM;Network Connection Manager;C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-30 04:39:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-12-02 08:03:33 C:\WINDOWS\Tasks\At1.job"
    - C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    "2007-12-02 07:50:03 C:\WINDOWS\Tasks\At2.job"
    - C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    .
    **************************************************************************

    catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-06 22:41:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-06 22:42:11 - machine was rebooted
    .
    --- E O F ---



    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:02:27 PM 11/23/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW Could not be deleted.

    Attempting to delete C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW Could not be deleted.

    Attempting to delete C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW
    C:\Documents and Settings\Phillip\Local Settings\Temporary Internet Files\Content.IE5\B3MTQMOW Could not be deleted.

    Performing Repairs to the registry.
    Done!

    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:17:15 PM 11/23/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:38:47 PM 11/23/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\windows\system32\ljjjihh.dll
    C:\windows\system32\ljjjihh.dll Could not be deleted.

    Attempting to delete C:\windows\system32\ljjjihh.dll
    C:\windows\system32\ljjjihh.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\windows\system32\ljjjihh.dll
    C:\windows\system32\ljjjihh.dll Could not be deleted.

    Attempting to delete C:\windows\system32\ljjjihh.dll
    C:\windows\system32\ljjjihh.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 6:51:09 PM 11/24/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:41:29 PM 11/30/2007

    Listing files found while scanning....


    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 9:36:15 PM 11/30/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll
    C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 1:01:35 AM 12/6/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.7.0

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:35:17 AM 12/6/2007

    Listing files found while scanning....


    VundoFix V6.7.0

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 8:50:02 AM 12/6/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    VundoFix V6.7.0

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 11:33:48 2007-12-06

    Listing files found while scanning....

    No infected files were found.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •