 |
||
Trojan.Vundo Already tried Vundo fix and continues to re-surface after removal
|
||
|
|
|
|||||||
| Register | Projects | Blogs | FAQ | Search | Today's Posts | Mark Forums Read |
2007-03-25, 05:57
|
#1 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
Trojan.Vundo Already tried Vundo fix and continues to re-surface after removal
I have gone through the pre-requisites on this forum to the tee and although things are somewhat better (before I could not even run HJT) I can now at least get around a bit on my computer I am still having an issue. Essentially my computer continues to find the Trojan.Vundo among other things. Because I have TeaTimer running it gets into this endless loop where it is trying to make registry changes and I keep clicking deny. I will post my most recent HJT log below.
I have been battling with this issue for about 3 days now and it is exhausting, thank you so much in advance for any assistance. Oh, also I have run the VundoFix, The Look2Me Fix (found nothing), the ATF Cleaner for both Firefox and IE, SuperAntiSpyware, and Dr. CureIt. As well as Spybot, Adware, and Symantec Corporate (I can post additional logs or details on these as well) [START LOG] Logfile of HijackThis v1.99.1 Scan saved at 6:36:14 PM, on 3/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Belkin Bulldog Plus\upsd.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Belkin Bulldog Plus\MUPS.exe C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop O2 - BHO: (no name) - {0A3F58BD-5742-4643-A772-B5398BDB7C0B} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300 O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing) [END LOG] |
|
|
2007-03-25, 22:15
|
#2 |
|
In Memoriam -Always in our heart
Join Date: Oct 2005
Location: Clearwater, Florida
Posts: 20,558
|
Welcome to the forum, you are infected and I am 99.9% sure it is Vundo:
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll Before we start, let me explain a couple of things, hackers call their junk anything they want and the fix we will use can't know all of these possible names. It may not know all of the files the first time (and there is probably hidden junk you can't see) but it will learn. I have seen it take as much as 6 or 8 runs to remove it all. You want to watch the report and you are successful when all Vundo files report as "has been deleted" Next, programs you are running may try to prevent the changes we must make, they need to be turned of before you run the fix. Tea Timer: http://russelltexas.com/malware/teatimer.htm SUPERAntiSpyware: Please disable SuperAntispyware. Right-click on the shortcut from the system tray, choose View Control Center (preferences/options), on the General and Startup tab, uncheck, Start SUPERAntispyware when Windows starts, click Close to exit. Delete all versions of Vundofix you may have on your computer and follow these instructions. Thanks to Atribune and any others who helped with this fix. Please download VundoFix.exe to your Desktop
If there is a file VundoFix doesn't find we need it submitted. Please submit the files to upload malware http://www.uploadmalware.com Thanks
__________________
MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006 |
|
|
|
2007-03-26, 03:43
|
#3 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
Thank you so much for assisting me. I have disabled both tea timer and super anti spyware, and downloaded the latest vundofix. It found 2 items and I did as you said. The HJT log and vundo text file are posted below.
Thank you. [START VUNDO TEXT] VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 5:52:36 PM 3/22/2007 Listing files found while scanning.... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 6:06:44 PM 3/22/2007 Listing files found while scanning.... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 6:21:55 PM 3/22/2007 Listing files found while scanning.... No infected files were found. VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:26:40 PM 3/22/2007 Listing files found while scanning.... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:42:39 PM 3/22/2007 Listing files found while scanning.... C:\WINDOWS\system32\awvvt.dll C:\WINDOWS\system32\tvvwa.bak1 C:\WINDOWS\system32\tvvwa.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\awvvt.dll C:\WINDOWS\system32\awvvt.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\tvvwa.bak1 C:\WINDOWS\system32\tvvwa.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\tvvwa.ini C:\WINDOWS\system32\tvvwa.ini Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\awvvt.dll C:\WINDOWS\system32\awvvt.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 8:29:30 PM 3/25/2007 Listing files found while scanning.... C:\WINDOWS\system32\qqstv.ini C:\WINDOWS\system32\vtsqq.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\qqstv.ini C:\WINDOWS\system32\qqstv.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\vtsqq.dll C:\WINDOWS\system32\vtsqq.dll Has been deleted! Performing Repairs to the registry. Done! [END VUNDO TEXT] [START HJT LOG] Logfile of HijackThis v1.99.1 Scan saved at 8:40:25 PM, on 3/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Belkin Bulldog Plus\upsd.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Belkin Bulldog Plus\MUPS.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300 O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing) [END HJT LOG] |
|
|
|
2007-03-26, 12:02
|
#4 |
|
In Memoriam -Always in our heart
Join Date: Oct 2005
Location: Clearwater, Florida
Posts: 20,558
|
Thanks for returning your information and Vundofix did locate and remove some of the junk, but it did not get the files I highlited in red. Try the fix again, look at this French forum, though it is a little hard to understand, scroll down to this post:
Posté le 02/03/2007 16:42:56 <<< this one and you will see where the fix deletes the file you have showing in your BHO's and Winlogon. http://forum.telecharger.01net.com/t...essages-1.html Attempting to delete C:\WINNT\system32\urqpnll.dll C:\WINNT\system32\urqpnll.dll Has been deleted! C:\WINDOWS\system32\urqpnll.dll <<< on your computer Run the fix and watch for it to remove that Vundo file. Post that report and a HJT log. Thanks
__________________
MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006 |
|
|
|
2007-03-26, 17:51
|
#5 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
Well I have run the Vundo fix about 10 times now and each time it will remove 3 files, all 3 always have the same extension but different random names. My Symantec is also popping up something called InfoStealer now. When I disable my Anti-virus software then the Vundo fix doesnt find anything, but when it is enabled it does. Do I need to stop any of those files from loading from within HJT? I will post two new logs here in a few minutes.
Thank you again so much for your help. |
|
|
|
2007-03-26, 17:54
|
#6 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
[START HJT LOG]
Logfile of HijackThis v1.99.1 Scan saved at 10:52:17 AM, on 3/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Belkin Bulldog Plus\upsd.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Belkin Bulldog Plus\MUPS.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll O2 - BHO: (no name) - {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} - C:\WINDOWS\system32\jkklk.dll (file missing) O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300 O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing) [END HJT LOG] [START VUNDO TEXT] VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 9:01:09 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\awvvw.dll C:\WINDOWS\system32\wvvwa.bak1 C:\WINDOWS\system32\wvvwa.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\awvvw.dll C:\WINDOWS\system32\awvvw.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wvvwa.bak1 C:\WINDOWS\system32\wvvwa.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\wvvwa.ini C:\WINDOWS\system32\wvvwa.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 9:13:20 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\hhhkj.bak1 C:\WINDOWS\system32\hhhkj.ini C:\WINDOWS\system32\jkhhh.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\hhhkj.bak1 C:\WINDOWS\system32\hhhkj.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hhhkj.ini C:\WINDOWS\system32\hhhkj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\jkhhh.dll C:\WINDOWS\system32\jkhhh.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 9:27:38 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\ccbeg.bak1 C:\WINDOWS\system32\ccbeg.ini C:\WINDOWS\system32\gebcc.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\ccbeg.bak1 C:\WINDOWS\system32\ccbeg.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ccbeg.ini C:\WINDOWS\system32\ccbeg.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\gebcc.dll C:\WINDOWS\system32\gebcc.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 9:41:18 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\pmkhi.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\ihkmp.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\ihkmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pmkhi.dll C:\WINDOWS\system32\pmkhi.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 9:55:09 AM 3/26/2007 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:09:11 AM 3/26/2007 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:16:32 AM 3/26/2007 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:20:23 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\ddcyv.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\vycdd.ini C:\WINDOWS\system32\vycdd.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:30:00 AM 3/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\jkklk.dll C:\WINDOWS\system32\klkkj.bak1 C:\WINDOWS\system32\klkkj.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\jkklk.dll C:\WINDOWS\system32\jkklk.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\klkkj.bak1 C:\WINDOWS\system32\klkkj.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\klkkj.ini C:\WINDOWS\system32\klkkj.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:41:27 AM 3/26/2007 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 10:49:25 AM 3/26/2007 Listing files found while scanning.... No infected files were found. Beginning removal... [END VUNDO FIX] |
|
|
|
2007-03-26, 18:31
|
#7 |
|
In Memoriam -Always in our heart
Join Date: Oct 2005
Location: Clearwater, Florida
Posts: 20,558
|
Let's try another tool, though you could see that file was removed by this tool at the French forum? I will assume you followed the directions to upload the file.
If there is a file VundoFix doesn't find we need it submitted. Please submit the files to upload malware http://www.uploadmalware.com Do you ever wonder what you pay Symantec for? Not only does it not stop the junk to start with, but then it can't remove it. Please download VirtumundoBeGone: http://secured2k.home.comcast.net/to...undoBeGone.exe * Save it to the Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the Desktop * Follow the directions as indicated This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams". To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop. Thanks
__________________
MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006 |
|
|
|
2007-03-26, 19:00
|
#8 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
Yes Symantec obviously doesnt work, do you have a better anti-virus program that you can recommend that I run in unison with Spybot?
I uploaded the malware file and all information: "Your file (urqpnll.dll) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file." I am trying the next application now. WIll post log in a few minutes. Thank you. |
|
|
|
2007-03-26, 19:05
|
#9 |
|
Junior Member
Join Date: Mar 2007
Posts: 10
|
It looks like it found something. Here is the log:
[03/26/2007, 12:01:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" ) [03/26/2007, 12:01:25] - Detected System Information: [03/26/2007, 12:01:25] - Windows Version: 5.1.2600, Service Pack 2 [03/26/2007, 12:01:25] - Current Username: HP_Administrator (Admin) [03/26/2007, 12:01:25] - Windows is in NORMAL mode. [03/26/2007, 12:01:25] - Searching for Browser Helper Objects: [03/26/2007, 12:01:25] - BHO 1: {7A5C6872-78F2-4B24-BD41-A5C18170D55F} () [03/26/2007, 12:01:25] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/26/2007, 12:01:25] - Checking for HKLM\...\Winlogon\Notify\urqpnll [03/26/2007, 12:01:25] - Found: HKLM\...\Winlogon\Notify\urqpnll - This is probably Virtumundo. [03/26/2007, 12:01:25] - Assigning {7A5C6872-78F2-4B24-BD41-A5C18170D55F} MSEvents Object [03/26/2007, 12:01:25] - BHO list has been changed! Starting over... [03/26/2007, 12:01:25] - BHO 1: {7A5C6872-78F2-4B24-BD41-A5C18170D55F} (MSEvents Object) [03/26/2007, 12:01:25] - ALERT: Found MSEvents Object! [03/26/2007, 12:01:25] - BHO 2: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} () [03/26/2007, 12:01:25] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/26/2007, 12:01:25] - Checking for HKLM\...\Winlogon\Notify\jkklk [03/26/2007, 12:01:25] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing. [03/26/2007, 12:01:25] - Finished Searching Browser Helper Objects [03/26/2007, 12:01:25] - *** Detected MSEvents Object [03/26/2007, 12:01:25] - Trying to remove MSEvents Object... [03/26/2007, 12:01:26] - Terminating Process: IEXPLORE.EXE [03/26/2007, 12:01:26] - Terminating Process: RUNDLL32.EXE [03/26/2007, 12:01:26] - Disabling Automatic Shell Restart [03/26/2007, 12:01:26] - Terminating Process: EXPLORER.EXE [03/26/2007, 12:01:27] - Suspending the NT Session Manager System Service [03/26/2007, 12:01:27] - Terminating Windows NT Logon/Logoff Manager [03/26/2007, 12:01:27] - Re-enabling Automatic Shell Restart [03/26/2007, 12:01:27] - File to disable: C:\WINDOWS\system32\urqpnll.dll [03/26/2007, 12:01:27] - Renaming C:\WINDOWS\system32\urqpnll.dll -> C:\WINDOWS\system32\urqpnll.dll.vir [03/26/2007, 12:01:27] - File successfully renamed! [03/26/2007, 12:01:27] - Removing HKLM\...\Browser Helper Objects\{7A5C6872-78F2-4B24-BD41-A5C18170D55F} [03/26/2007, 12:01:27] - Removing HKCR\CLSID\{7A5C6872-78F2-4B24-BD41-A5C18170D55F} [03/26/2007, 12:01:27] - Adding Kill Bit for ActiveX for GUID: {7A5C6872-78F2-4B24-BD41-A5C18170D55F} [03/26/2007, 12:01:27] - Deleting ATLEvents/MSEvents Registry entries [03/26/2007, 12:01:27] - Removing HKLM\...\Winlogon\Notify\urqpnll [03/26/2007, 12:01:27] - Searching for Browser Helper Objects: [03/26/2007, 12:01:27] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} () [03/26/2007, 12:01:27] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/26/2007, 12:01:27] - Checking for HKLM\...\Winlogon\Notify\jkklk [03/26/2007, 12:01:27] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing. [03/26/2007, 12:01:27] - Finished Searching Browser Helper Objects [03/26/2007, 12:01:27] - Finishing up... [03/26/2007, 12:01:27] - A restart is needed. [03/26/2007, 12:01:36] - Attempting to Restart via STOP error (Blue Screen!) [03/26/2007, 12:04:14] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" ) [03/26/2007, 12:04:16] - Detected System Information: [03/26/2007, 12:04:16] - Windows Version: 5.1.2600, Service Pack 2 [03/26/2007, 12:04:16] - Current Username: HP_Administrator (Admin) [03/26/2007, 12:04:16] - Windows is in NORMAL mode. [03/26/2007, 12:04:16] - Searching for Browser Helper Objects: [03/26/2007, 12:04:16] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} () [03/26/2007, 12:04:16] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/26/2007, 12:04:16] - Checking for HKLM\...\Winlogon\Notify\jkklk [03/26/2007, 12:04:16] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing. [03/26/2007, 12:04:16] - Finished Searching Browser Helper Objects [03/26/2007, 12:04:16] - Finishing up... [03/26/2007, 12:04:16] - Nothing found! Exiting... [03/26/2007, 12:04:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" ) [03/26/2007, 12:04:32] - Detected System Information: [03/26/2007, 12:04:32] - Windows Version: 5.1.2600, Service Pack 2 [03/26/2007, 12:04:32] - Current Username: HP_Administrator (Admin) [03/26/2007, 12:04:32] - Windows is in NORMAL mode. [03/26/2007, 12:04:32] - Searching for Browser Helper Objects: [03/26/2007, 12:04:32] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} () [03/26/2007, 12:04:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/26/2007, 12:04:32] - Checking for HKLM\...\Winlogon\Notify\jkklk [03/26/2007, 12:04:32] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing. [03/26/2007, 12:04:32] - Finished Searching Browser Helper Objects [03/26/2007, 12:04:32] - Finishing up... [03/26/2007, 12:04:32] - Nothing found! Exiting... |
|
|
|
2007-03-26, 19:14
|
#10 |
|
In Memoriam -Always in our heart
Join Date: Oct 2005
Location: Clearwater, Florida
Posts: 20,558
|
I wish I could tell you what program will stop the junk, but the hackers are making lots of $$$ and all they have to do is count the $$$ and figure ways to beat your security. Governments don't seem to be able to do anything either. I use McAfee but it is getting a bad as Symantec, their new program is hugh and I took away my CC number, and will go with freeware. Though when all is said an done, that infection probably got onboard as a results of a bad script you picked up at a website you would never have thought it of. Here's what I mean:
http://www.networkworld.com/news/200...-unravels.html http://www.revenews.com/wayneporter/...l_network_now/ What is being said: http://anti-virus-software-review.toptenreviews.com/ http://www.consumersearch.com/www/so...e/reviews.html http://www.zdnet.com.au/news/securit...9263949,00.htm
__________________
MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006 |
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
