View Full Version : malware blocks spybot
robecker950
2007-02-13, 11:31
I am having the same issue as technocowboy. If you think it would help I will do as you instructed him to do. If I figure this out I'll post my findings here. For the fun of it I created a text file and renamed it spybotsd.exe and it gets erased immediately. And, when I drilled into a shared drive on another machine to see what files are in the spybot install folder (I have spybot on all of my machines) 'it' erased spybotsd.exe on that computer along with other files. I don't know if it is of any value but if you want I can VNC to my other machine (now that I reinstalled spybotsd) and compare directories to see what files are being erased. Further, this 'thing' has erased my AVG Antivirus, and 'it' will not let me install updates to AVG Anit Spyware unless I'm logged in as a guest. And, I am sure it is directly related, but I cannot boot into safe mode without getting a blue screen of death. - Scary
I meant to say I not sure - repeat I am NOT sure it is directly related, but I cannot boot into safe mode without getting a blue screen of death.
Hi robecker950 and welcome to the forums :)
I've created a new thread for your problem. The instructions in other thread weren't universal...
Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
robecker950
2007-02-14, 17:21
Logfile of HijackThis v1.99.1
Scan saved at 11:19:44 AM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Messenger\MSMSGS.EXE
D:\PROGRA~1\MICROS~1\wcescomm.exe
D:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mooch\Local Settings\Temporary Internet Files\Content.IE5\RS5B8WV9\VundoFix[1].exe
C:\Documents and Settings\mooch\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ICQ Lite] "d:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~1\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150550594781
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
robecker950
2007-02-14, 17:51
Thanks again for looking into this with me...
here are a couple of things I noticed on my machine:
1. The service 'Automatic Updates' is being disabled and stopped upon reboot
2. The Windows Firewall/Internet Connection Sharing (ICS) Service is stopped upon a reboot.
-later
Ok let's see what we can find...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
If you're having problems with running GMER.exe, try it in safe mode.
You may need to post the GMER log in several parts.
robecker950
2007-02-15, 04:26
GMER scans along and my machine keeps shutting down! I did see red entries in the log; hidden services - one ending with 'wintems', two ending with hldrr, and another with m_hook.sys! I will continue to try and get a log posted from GMER.
robecker950
2007-02-15, 15:01
Using Blacklight I was able to rename wintems, hldrrr, hidr, m_hook. Upon rebooting I was able to install spybot and avg virus. Scanning with both applcations I found some left over registry issues, and the files I used to infect my machine, and cleaned those out.
I think I am done here.
Thanks for responding so quickly to my post!
robecker950
2007-02-15, 15:06
I used spybot and avg prior to getting infected, other than scanning every new exe before executing it, is there a way to set up a safety net against doing some stupid like double clicking on an exe that you forgot to scan?
Hi again and sorry for the delay, I was out of town.
Ok please post a fresh HijackThis log and also try if gmer runs now. Post the GMER log if it works..
:bigthumb:
robecker950
2007-02-17, 14:17
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-17 08:16:56
Windows 5.1.2600 Service Pack 2
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@jaaenjhboknopmpfjghg 0x6A 0x61 0x63 0x68 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@iaaedkjeoibmdgfbpg 0x6A 0x61 0x62 0x68 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@dbaenjhboknopmpfjghggmimafjjdalajonkcijk 0x6A 0x61 0x62 0x68 ...
---- EOF - GMER 1.0.12 ----
robecker950
2007-02-17, 14:19
Logfile of HijackThis v1.99.1
Scan saved at 7:55:59 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Messenger\MSMSGS.EXE
D:\PROGRA~1\MICROS~1\wcescomm.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Documents and Settings\mooch\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ICQ Lite] "d:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~1\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\mooch\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150550594781
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
robecker950
2007-02-17, 14:45
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-17 08:45:40
Windows 5.1.2600 Service Pack 2
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1FF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E2215DA C:\WINDOWS\system32\IEFRAME.dll
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@jaaenjhboknopmpfjghg 0x6A 0x61 0x63 0x68 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@iaaedkjeoibmdgfbpg 0x6A 0x61 0x62 0x68 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AD1C54DD-99EB-C17D-70A7-08828DE2CBE7}\InProcServer32@dbaenjhboknopmpfjghggmimafjjdalajonkcijk 0x6A 0x61 0x62 0x68 ...
---- EOF - GMER 1.0.12 ----
Hi again, we'll remove the leftovers :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\mooch\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\hldrrr.exe or C:\WINDOWS\system32\hldrrr.exe.ren
C:\WINDOWS\system32\wintems.exe or C:\WINDOWS\system32\wintems.exe.ren
Go to the My Computer and delete the following folders (if present):
C:\Documents and Settings\mooch\Application Data\hidires
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
robecker950
2007-02-18, 02:39
Wow! Thanks for the verbose instructions! I'll follow them and post the results as instructed...
robecker950
2007-02-22, 09:54
Logfile of HijackThis v1.99.1
Scan saved at 3:52:44 AM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Messenger\MSMSGS.EXE
D:\PROGRA~1\MICROS~1\wcescomm.exe
D:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mooch\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ICQ Lite] "d:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~1\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150550594781
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
robecker950
2007-02-22, 09:57
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:40:08 AM 2/22/2007
+ Scan result:
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\WhenU SaveNow_12_02_2007_20_26_49.asq5829/{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049029.exe -> Downloader.Bagle.br : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP351\A0050150.exe -> Downloader.Bagle.br : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0050631.exe -> Downloader.Bagle.br : Cleaned with backup (quarantined).
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\Tracking Cookie_15_02_2007_01_39_04.asq15724 -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\RealMedia.com_12_02_2007_20_26_49.asq21724 -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\Revenue.net_15_02_2007_01_39_04.asq29358 -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\SpyLog.com_14_02_2007_20_03_57.asq11478 -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\Trafficmp Cookie_21_02_2007_20_03_00.asq41 -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\mooch\Application Data\Uniblue\SpyEraser\Quarantine\TribalFusion.com_21_02_2007_20_03_00.asq18467 -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardEL.dll -> Trojan.Susear.a : Cleaned with backup (quarantined).
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardHU.dll -> Trojan.Susear.a : Cleaned with backup (quarantined).
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardNL.dll -> Trojan.Susear.a : Cleaned with backup (quarantined).
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardSK.dll -> Trojan.Susear.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0048939.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049022.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049038.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049127.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0050124.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0050140.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP355\A0050184.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050202.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050241.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050252.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP357\A0050296.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP357\A0050304.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP361\A0050455.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP361\A0050464.sys -> Worm.Bagle.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP362\A0050468.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP362\A0050480.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP362\A0050488.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0050513.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0050630.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0050636.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP364\A0054646.exe -> Worm.Bagle.hq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP345\A0048809.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP345\A0048810.sys -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP347\A0048883.sys -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP347\A0048884.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050210.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050219.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050222.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050226.exe -> Worm.Bagle.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0048903.exe -> Worm.Bagle.hu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050195.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050197.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050198.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050200.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050204.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050205.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050206.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050207.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050213.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050214.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050215.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050218.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050223.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050227.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050228.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050229.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052651.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052652.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052653.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052654.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052655.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052656.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052658.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052660.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052662.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP363\A0052664.exe -> Worm.Bagle.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050201.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050203.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050208.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050209.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050211.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050212.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050216.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050217.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050220.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050221.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050224.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050225.exe -> Worm.Bagle.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0048940.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049028.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049039.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0049128.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0050127.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP348\A0050143.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP355\A0050188.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050232.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP356\A0050244.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP357\A0050297.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP357\A0050306.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP361\A0050457.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1DB8EAFA-B370-48FC-AB0A-13C0FF2BB3A6}\RP361\A0050466.exe -> Worm.Bagle.hz : Cleaned with backup (quarantined).
::Report end
robecker950
2007-02-22, 10:00
1. I wasn't able to start in safe mode, so I had to run all the steps in normal mode. I did however reboot where you said reboot to normal mode.
2. If you know where one could read about what to when they are getting a stop error upon trying to enter into safe mode, please let me know!
3. Thanks again for all your help!
-later
Hi again :)
What error do you get when you try to boot to the safe mode?
Let's see if there is something that shouldn't be quarantined...
Open AVG Anti-Spyware.
Infections
Quarantine
Click the following:
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardEL.dll -> Trojan.Susear.a : Cleaned with backup (quarantined).
Click on "Restore" and answer "Yes"
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\Program Files\Common Files\NVIDIA Shared\Audio\NvAudioWizardEL.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
:bigthumb:
robecker950
2007-02-23, 13:53
1. I attached a screen shot of the *stop* error I get when I try to boot into safe mode.
2. I had the same *stop* error when trying to boot into safe mode prior to running through your process and quarantining anything.
3. I noticed I have 'Enable hibernation' ticked, but the button to enter hibernation mode is not displayed.
4. I'll do your last suggestion and post back to you.
-later
robecker950
2007-02-23, 14:05
I went to do the restore of NvAudioWizardEL.dll and discovered there were four entries for the NvAudioWizardXX.dll - NvAudioWizardEL.dll, NvAudioWizardNL.dll, NvAudioWizardSK.dll, NvAudioWizardHU.dll , should I restore them all?
Hi :)
Ok you may restore all of the but please scan one of them at Virustotal just in case.
Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete) Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here
:bigthumb:
Still there robecker950 ?:spider:
This topic is closed due to lack of a response :spider:
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread.
Applies only to the original topic starter.