View Full Version : Can't get rid of Vundo - any help appreciated
Richdebc
2007-03-07, 13:32
Hi,
My computer has started behaving oddly - trying to access A:\ every time it boots up, Explorer sometimes crashing, running slowly for no apparent reason, so I ran a Panda virus scan and it looks like I've got something called Vundo. I tried Vundofix but it couldn't delete the files because they were already in use. Can anyone help?
Logfile of HijackThis v1.99.1
Scan saved at 11:22:15, on 07/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Arovax AntiSpyware] C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe /s
O4 - HKLM\..\Run: [Arovax Shield] C:\Program Files\Arovax Shield\ArovaxShield.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{898D1BA8-F787-4780-A1EB-B98821CC94FC}: NameServer = 212.139.132.41 212.139.132.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
Richdebc
2007-03-07, 13:39
Panda Online scan log (it wouldn't fit in the previous post):
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtuvwtu.dll
Virus:trj/ldpinch.a Disinfected Operating system
Adware:adware/razespyware Not disinfected c:\windows\system32\notepad.com
Adware:adware/wupd Not disinfected c:\windows\downloaded program files\ActiveX.inf
Adware:adware/emediacodec Not disinfected c:\program files\Media-Codec
Virus:Trj/Spyforms.A Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\ImapMail\imaphost-rs.dur.ac.uk\INBOX-1[order_report.exe]
Potentially unwanted tool:Application/Demo-GFI.A Not disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\ImapMail\imaphost-rs.dur.ac.uk\INBOX-1[~0005645.~]
Potentially unwanted tool:Application/Demo-GFI.A Not disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\ImapMail\imaphost-rs.dur.ac.uk\INBOX-1[~0005646.~]
Virus:Trj/Spyforms.A Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Inbox[order_report.exe]
Virus:W32/Nuwar.B.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[postcard.exe]
Virus:Trj/Gagar.CC Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[greeting card.exe]
Virus:Trj/Gagar.CC Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Card.exe]
Virus:W32/Nuwar.B.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[postcard.exe]
Virus:Trj/Gagar.CC Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[greeting card.exe]
Virus:Trj/Gagar.CC Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Card.exe]
Virus:Trj/Alanchum.NX!CME-711 Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Video.exe]
Virus:W32/Nuwar.D.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Full Clip.exe]
Virus:W32/Nuwar.D.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Full Video.exe]
Virus:W32/Nuwar.D.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Full Clip.exe]
Virus:Trj/Alanchum.OH Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Read More.exe]
Virus:Trj/Alanchum.OD Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Full Clip.exe]
Virus:Trj/Alanchum.OD Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[More Here.exe]
Virus:Trj/Alanchum.OL Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Read News.exe]
Virus:Trj/Alanchum.OD Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[greeting card.exe]
Virus:Trj/Alanchum.ON Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Card.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[flash postcard.exe]
Virus:Trj/Alanchum.PK Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Card.exe]
Virus:Trj/Alanchum.PG Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[flash postcard.exe]
Virus:Trj/Alanchum.PJ Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[postcard.exe]
Virus:Trj/Alanchum.PV Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[greeting card.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Card.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[postcard.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[flash postcard.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[greeting postcard.exe]
Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Postcard.exe]
Virus:W32/Nurech.B.worm Disinfected C:\Documents and Settings\Rich\Application Data\Thunderbird\Profiles\dxu3yak2.default\Mail\pop.mail.yahoo.co.uk\Trash[Greeting Postcard.exe]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 18.07.2006 13-27-38.dat
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 21.10.2006 10-27-58.dat
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 29.09.2006 09-15-38.dat
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041
Adware:Adware/EMediaCodec Not disinfected C:\Program Files\Media-Codec\uninst.exe
Potentially unwanted tool:Application/PassRock Not disinfected C:\quarantine\Rock XP 2.0.exe.Vir
pskelley
2007-03-07, 16:15
Welcome to the forum, as a result of a look at the scan results and your feedback, you may have multi infections. I need to collect some information before we start. My best advice to you would be to keep this computer offline as much as possible until we get it cleaned up.
1) http://siri.geekstogo.com/SmitfraudFix.php <<< download SmitfraudFix from here and follow only these instructions:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
2) C:\HijackThis\HijackThis.exe <<< return here and point the mouse and choose rename. Call it Richdebc.exe or whatever your wish. The next HJT log should show us the infection.
Restart the computer and post the C:\Report.txt from Smitfraudfix "Search" function and a new HJT log. Add any comments you think will help. I will respond with instructions as soon as possible after you post.
Thanks
Richdebc
2007-03-07, 16:31
Thanks for the quick reply pskelley! Reports below (I've commented what I can, but I let my housemates use this computer - or rather I used to - and I suspect they've installed some stuff I don't recognise).
SmitFraudFix v2.148
Scan done at 14:23:36.56, 07/03/2007
Run from C:\PROGRA~1\MOZILL~1\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\migicons.exe FOUND !
C:\WINDOWS\system32\notepad.com FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rich
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rich\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Rich\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Media-Codec\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.babeskickass.com/content/Zuzana_Drabinova/1_062.jpg"
"SubscribedURL"="http://www.babeskickass.com/content/Zuzana_Drabinova/1_062.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.lucypinder.info/assets/images/TMLucyRedUnderwear3r.gif"
"SubscribedURL"="http://www.lucypinder.info/assets/images/TMLucyRedUnderwear3r.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://www.lucypinder.info/assets/images/Loaded_1.jpg"
"SubscribedURL"="http://www.lucypinder.info/assets/images/Loaded_1.jpg"
"FriendlyName"=""
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 14:29:17, on 07/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe [Ahead cd reading utility}
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe [Kerio Firewall]
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [McAfee VirusScan]
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe [Kerio Firewall]
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe [McAfee VirusScan]
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe [McAfee VirusScan]
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe [Kerio firewall]
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe [Printer]
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [McAfee VirusScan]
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe [McAfee VirusScan]
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe [Antispyware]
C:\Program Files\Arovax Shield\ArovaxShield.exe [Antispyware]
C:\Program Files\Java\jre1.6.0\bin\jusched.exe [Java]
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [Modem]
C:\program files\microsoft office\OFFICE11\WINWORD.EXE [MS Word]
C:\Program Files\Mozilla Thunderbird\thunderbird.exe [Email client]
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE [Web browser]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe [Acrobat Reader]
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\HijackThis\Richdebc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} - (no file)
O2 - BHO: (no name) - {4E21F75D-E4BE-4D86-A90A-907011A7C153} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\System32\vtuvwtu.dll
O2 - BHO: (no name) - {BEED39C3-4363-4254-BD57-E40A2CC6FC54} - (no file)
O2 - BHO: (no name) - {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Arovax AntiSpyware] C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe /s
O4 - HKLM\..\Run: [Arovax Shield] C:\Program Files\Arovax Shield\ArovaxShield.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{898D1BA8-F787-4780-A1EB-B98821CC94FC}: NameServer = 212.139.132.42 212.139.132.41
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O20 - Winlogon Notify: awvtt - C:\WINDOWS\System32\awvtt.dll
O20 - Winlogon Notify: vtuvwtu - C:\WINDOWS\SYSTEM32\vtuvwtu.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
Thanks.
pskelley
2007-03-07, 16:48
Whoa Rich, you just caught me. I was out the door to mow the lawn. I love Florida, I mow the lawn while others shovel the snow.
I was right, you do have both infections, there may be more also, but we need to remove these first.
Let me tall you about Vundofix first. The hackers call their junk anything they wish, Vundofix may not know it the first time, but it learns, you will see the junk in the report. You need to run the fix until all of the junk it locates says "Has been deleted", then move on.
1) http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2) Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Restart the computer and post the C:\rapport.txt from Smitfraudfix, the C:\vundofix.txt and a new HJT log. Add your comments you think will help. I will respond and try to clean up the junk that is left as soon as possible after you post.
Thanks...phil
What can you tell me about this program: C:\Program Files\Arovax AntiSpyware, do you own it?
Richdebc
2007-03-07, 17:29
Hi Phil, thanks for your help - I'd be completely lost otherwise! VundoFix didn't work - even after rebooting it couldn't remove the three files. Here are the logs you asked for:
SmitFraudFix v2.148
Scan done at 15:05:42.20, 07/03/2007
Run from C:\Documents and Settings\Rich\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\migicons.exe Deleted
C:\WINDOWS\system32\notepad.com Deleted
C:\Program Files\Media-Codec\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
VundoFix V6.3.15
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 15:22:18 07/03/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\vtuvwtu.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 15:28:12, on 07/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Documents and Settings\Rich\Desktop\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\Richdebc.exe
C:\WINDOWS\system32\cidaemon.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} - (no file)
O2 - BHO: (no name) - {4E21F75D-E4BE-4D86-A90A-907011A7C153} - (no file)
O2 - BHO: (no name) - {521F64F5-74FD-44B7-B030-69EACCECD0BC} - C:\WINDOWS\System32\awvtt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\System32\vtuvwtu.dll
O2 - BHO: (no name) - {BEED39C3-4363-4254-BD57-E40A2CC6FC54} - (no file)
O2 - BHO: (no name) - {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} - (no file)
O2 - BHO: (no name) - {F83101F1-84A6-408D-A019-1AA64F4FF36C} - (no file)
O2 - BHO: (no name) - {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Arovax AntiSpyware] C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe /s
O4 - HKLM\..\Run: [Arovax Shield] C:\Program Files\Arovax Shield\ArovaxShield.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Rich\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{898D1BA8-F787-4780-A1EB-B98821CC94FC}: NameServer = 212.139.132.4 212.139.132.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O20 - Winlogon Notify: awvtt - C:\WINDOWS\System32\awvtt.dll
O20 - Winlogon Notify: vtuvwtu - C:\WINDOWS\SYSTEM32\vtuvwtu.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
Arovax Antispyware is a free program I downloaded on a friend's recommendation - it's supposed to detect spyware by looking for tell-tale signals somehow. It rarely finds anything though, so I suspect it's not much good. Arovax Shield on the other hand seems to work pretty well at blocking unwanted fiddling with the registry, start-up etc.
pskelley
2007-03-07, 17:43
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.Update your Java program to the newest version and uninstall the old ones in Add Remove program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Next, read what I said again, then read the instructions again. I have seen the fix have to be run six or more times to delete everything, looks like you ran it once. There is no easier way to remove this infection, it only gets harder from here.
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Rich\Desktop\vundofix.exe"
I should not see it running like you have it here, delete the tool and download it again.
Richdebc
2007-03-07, 18:57
Can't believe I misread your instructions - sorry! Must be because this has been winding me up a little.
I ran a newly downloaded version of VundoFix until it came up with a blank box on rebooting and said there was nothing else to delete, but the files it was having problems with originally are still there in my system32 directory. Is this a problem?
There's no longer anything trying to access A:\ on startup though.
Logs:
SmitFraudFix v2.148
Scan done at 15:05:42.20, 07/03/2007
Run from C:\Documents and Settings\Rich\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\migicons.exe Deleted
C:\WINDOWS\system32\notepad.com Deleted
C:\Program Files\Media-Codec\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
VundoFix V6.3.15
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 16:11:45 07/03/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\vtuvwtu.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.3.15
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 16:25:16 07/03/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\vtuvwtu.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.3.15
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 16:40:56 07/03/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\vtuvwtu.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\vtuvwtu.dll
C:\WINDOWS\SYSTEM32\vtuvwtu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
[The VundoFix log ends here]
Logfile of HijackThis v1.99.1
Scan saved at 16:56:39, on 07/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\program files\microsoft office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\Richdebc.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} - (no file)
O2 - BHO: (no name) - {4E21F75D-E4BE-4D86-A90A-907011A7C153} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {A643E0FB-C170-41C9-B8FB-84B77449EBD9} - C:\WINDOWS\System32\awvtt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\System32\vtuvwtu.dll
O2 - BHO: (no name) - {BEED39C3-4363-4254-BD57-E40A2CC6FC54} - (no file)
O2 - BHO: (no name) - {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} - (no file)
O2 - BHO: (no name) - {F83101F1-84A6-408D-A019-1AA64F4FF36C} - (no file)
O2 - BHO: (no name) - {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Arovax AntiSpyware] C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe /s
O4 - HKLM\..\Run: [Arovax Shield] C:\Program Files\Arovax Shield\ArovaxShield.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{898D1BA8-F787-4780-A1EB-B98821CC94FC}: NameServer = 212.139.132.4 212.139.132.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O20 - Winlogon Notify: awvtt - C:\WINDOWS\System32\awvtt.dll
O20 - Winlogon Notify: vtuvwtu - C:\WINDOWS\SYSTEM32\vtuvwtu.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
Thanks
Richdebc
2007-03-07, 18:59
Oh, I forgot to say I couldn't uninstall my old java - when I try I get the message 'Internal Error 2753. RegUtils'. I installed the new version over the top in case that helps...
pskelley
2007-03-07, 19:57
Please don't run Smitfraudfix, you are done with that tool.
I am going to give you this information about Java now:
Internal Error 2753 <<< see this: http://www.google.com/search?q=%27Internal+Error+2753&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
I have no idea why Java is giving you that error, but others have had the problem also. If you can resolve the issue with that information, then contact Java for help:
http://java.sun.com/developer/support/
http://www.google.com/search?q=Java+technical+support&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
You can check your Java installation here: http://www.java.com/en/download/installed.jsp
Well, you know Vundo is still there, my first question is did you upload the file that could not be removed so Atribune can add it to the fix? If you did not would you do that first:
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Here are the files to upload, they are added fairly quickly, but it may be tomorrow before it gets done.
C:\WINDOWS\System32\awvtt.dll
C:\WINDOWS\System32\vtuvwtu.dll
Next...if you are following directions, then the only thing that can be blocking the removal are these programs:
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
It is probably the Shield, but I can not attest to that having no knowledge of the programs.
Turn them off and then run the Vundofix, you know what the files are that must be deleted. If that does not work, then try booting to safe mode and run Vundofix there. If that does not work then uninstall those programs completely and try again.
Keep me posted.
Thanks
Richdebc
2007-03-07, 22:55
I think java is sorted - following the link you gave me I downloaded Window Installer Clean Up (http://www.softpedia.com/get/Security/Secure-cleaning/Windows-Installer-CleanUp-Utility.shtml) which seems to have done the trick.
Still can't get VundoFix to delete the files, even with the Arovax programs uninstalled. I uploaded the files earlier this afternoon, so I'll hang on and try again tomorrow then post the results here.
Thanks for all your help and patience!
pskelley
2007-03-07, 23:19
Ok my friend, I have been at these logs since around 4:00 AM EST and my mind has about stopped working. I can not see any reason why the fix does not work, but it does happen once in a while. Those look like common file names, I am surprised it was not cleaned the first time. Atribune is very good about adding files we send, so give it a try tomorrow. If it still does not work, I will post an alternate fix, but I would appreciate it if you wait until you try Vundofix first before you use this.
Keep me posted...Phil
Alternative fix for Vundo:
Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".
To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.
Whichever works, we will still has some debris to remove, so once Vundo is history, post a new HJT log.
Thanks
Richdebc
2007-03-08, 22:57
I tried VundoFix again, but I don't think atribune has updated it as it is still on the same version number, and didn't work.
VirtumundoBeGone appears to have worked, I think. Here's the log:
[03/08/2007, 19:52:15] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rich\Desktop\VirtumundoBeGone.exe" )
[03/08/2007, 19:52:19] - Detected System Information:
[03/08/2007, 19:52:19] - Windows Version: 5.1.2600, Service Pack 1
[03/08/2007, 19:52:19] - Current Username: Rich (Admin)
[03/08/2007, 19:52:19] - Windows is in NORMAL mode.
[03/08/2007, 19:52:19] - Searching for Browser Helper Objects:
[03/08/2007, 19:52:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 19:52:19] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 19:52:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:19] - No filename found. Continuing.
[03/08/2007, 19:52:19] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 19:52:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:19] - No filename found. Continuing.
[03/08/2007, 19:52:19] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 19:52:20] - BHO 5: {8F537CBD-FDE9-4F42-9D06-44F6CC8F6660} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - Checking for HKLM\...\Winlogon\Notify\awvtt
[03/08/2007, 19:52:20] - Found: HKLM\...\Winlogon\Notify\awvtt - This is probably Virtumundo.
[03/08/2007, 19:52:20] - Assigning {8F537CBD-FDE9-4F42-9D06-44F6CC8F6660} MSEvents Object
[03/08/2007, 19:52:20] - BHO list has been changed! Starting over...
[03/08/2007, 19:52:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 19:52:20] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 19:52:20] - BHO 5: {8F537CBD-FDE9-4F42-9D06-44F6CC8F6660} (MSEvents Object)
[03/08/2007, 19:52:20] - ALERT: Found MSEvents Object!
[03/08/2007, 19:52:20] - BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 19:52:20] - BHO 7: {B07CB267-5E6F-441F-9B3C-324EFE70F897} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - Checking for HKLM\...\Winlogon\Notify\vtuvwtu
[03/08/2007, 19:52:20] - Found: HKLM\...\Winlogon\Notify\vtuvwtu - This is probably Virtumundo.
[03/08/2007, 19:52:20] - Assigning {B07CB267-5E6F-441F-9B3C-324EFE70F897} MSEvents Object
[03/08/2007, 19:52:20] - BHO list has been changed! Starting over...
[03/08/2007, 19:52:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 19:52:20] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 19:52:20] - BHO 5: {8F537CBD-FDE9-4F42-9D06-44F6CC8F6660} (MSEvents Object)
[03/08/2007, 19:52:20] - ALERT: Found MSEvents Object!
[03/08/2007, 19:52:20] - BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 19:52:20] - BHO 7: {B07CB267-5E6F-441F-9B3C-324EFE70F897} (MSEvents Object)
[03/08/2007, 19:52:20] - ALERT: Found MSEvents Object!
[03/08/2007, 19:52:20] - BHO 8: {BEED39C3-4363-4254-BD57-E40A2CC6FC54} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 9: {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 10: {F83101F1-84A6-408D-A019-1AA64F4FF36C} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - BHO 11: {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} ()
[03/08/2007, 19:52:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:52:20] - No filename found. Continuing.
[03/08/2007, 19:52:20] - Finished Searching Browser Helper Objects
[03/08/2007, 19:52:20] - *** Detected MSEvents Object
[03/08/2007, 19:52:20] - Trying to remove MSEvents Object...
[03/08/2007, 19:52:21] - Terminating Process: IEXPLORE.EXE
[03/08/2007, 19:52:23] - Terminating Process: RUNDLL32.EXE
[03/08/2007, 19:52:24] - Disabling Automatic Shell Restart
[03/08/2007, 19:52:24] - Terminating Process: EXPLORER.EXE
[03/08/2007, 19:52:25] - Suspending the NT Session Manager System Service
[03/08/2007, 19:52:26] - Terminating Windows NT Logon/Logoff Manager
[03/08/2007, 19:55:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rich\Desktop\VirtumundoBeGone.exe" )
[03/08/2007, 19:55:19] - Detected System Information:
[03/08/2007, 19:55:19] - Windows Version: 5.1.2600, Service Pack 1
[03/08/2007, 19:55:19] - Current Username: Rich (Admin)
[03/08/2007, 19:55:19] - Windows is in NORMAL mode.
[03/08/2007, 19:55:19] - Searching for Browser Helper Objects:
[03/08/2007, 19:55:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 19:55:19] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 19:55:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:19] - No filename found. Continuing.
[03/08/2007, 19:55:19] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 19:55:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:19] - No filename found. Continuing.
[03/08/2007, 19:55:19] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 19:55:19] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 19:55:19] - BHO 6: {B07CB267-5E6F-441F-9B3C-324EFE70F897} (MSEvents Object)
[03/08/2007, 19:55:19] - ALERT: Found MSEvents Object!
[03/08/2007, 19:55:19] - BHO 7: {BEED39C3-4363-4254-BD57-E40A2CC6FC54} ()
[03/08/2007, 19:55:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:19] - No filename found. Continuing.
[03/08/2007, 19:55:19] - BHO 8: {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} ()
[03/08/2007, 19:55:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:19] - No filename found. Continuing.
[03/08/2007, 19:55:19] - BHO 9: {D457DFA8-1D96-4B01-9B2A-7385F845F3C7} ()
[03/08/2007, 19:55:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:19] - Checking for HKLM\...\Winlogon\Notify\awvtt
[03/08/2007, 19:55:20] - Found: HKLM\...\Winlogon\Notify\awvtt - This is probably Virtumundo.
[03/08/2007, 19:55:20] - Assigning {D457DFA8-1D96-4B01-9B2A-7385F845F3C7} MSEvents Object
[03/08/2007, 19:55:20] - BHO list has been changed! Starting over...
[03/08/2007, 19:55:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 19:55:20] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 19:55:20] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 19:55:20] - BHO 6: {B07CB267-5E6F-441F-9B3C-324EFE70F897} (MSEvents Object)
[03/08/2007, 19:55:20] - ALERT: Found MSEvents Object!
[03/08/2007, 19:55:20] - BHO 7: {BEED39C3-4363-4254-BD57-E40A2CC6FC54} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - BHO 8: {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - BHO 9: {D457DFA8-1D96-4B01-9B2A-7385F845F3C7} (MSEvents Object)
[03/08/2007, 19:55:20] - ALERT: Found MSEvents Object!
[03/08/2007, 19:55:20] - BHO 10: {F83101F1-84A6-408D-A019-1AA64F4FF36C} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - BHO 11: {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} ()
[03/08/2007, 19:55:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 19:55:20] - No filename found. Continuing.
[03/08/2007, 19:55:20] - Finished Searching Browser Helper Objects
[03/08/2007, 19:55:20] - *** Detected MSEvents Object
[03/08/2007, 19:55:20] - Trying to remove MSEvents Object...
[03/08/2007, 19:55:21] - Terminating Process: IEXPLORE.EXE
[03/08/2007, 19:55:23] - Terminating Process: RUNDLL32.EXE
[03/08/2007, 19:55:25] - Disabling Automatic Shell Restart
[03/08/2007, 19:55:25] - Terminating Process: EXPLORER.EXE
[03/08/2007, 19:55:26] - Suspending the NT Session Manager System Service
[03/08/2007, 19:55:27] - Terminating Windows NT Logon/Logoff Manager
[03/08/2007, 20:00:56] - Re-enabling Automatic Shell Restart
[03/08/2007, 20:00:56] - File to disable: C:\WINDOWS\System32\vtuvwtu.dll
[03/08/2007, 20:00:56] - Renaming C:\WINDOWS\System32\vtuvwtu.dll -> C:\WINDOWS\System32\vtuvwtu.dll.vir
[03/08/2007, 20:00:56] - File successfully renamed!
[03/08/2007, 20:00:56] - Removing HKLM\...\Browser Helper Objects\{B07CB267-5E6F-441F-9B3C-324EFE70F897}
[03/08/2007, 20:00:56] - Removing HKCR\CLSID\{B07CB267-5E6F-441F-9B3C-324EFE70F897}
[03/08/2007, 20:00:56] - Adding Kill Bit for ActiveX for GUID: {B07CB267-5E6F-441F-9B3C-324EFE70F897}
[03/08/2007, 20:00:56] - Deleting ATLEvents/MSEvents Registry entries
[03/08/2007, 20:00:56] - Removing HKLM\...\Winlogon\Notify\vtuvwtu
[03/08/2007, 20:00:56] - Searching for Browser Helper Objects:
[03/08/2007, 20:00:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 20:00:56] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 20:00:56] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 20:00:56] - BHO 6: {BEED39C3-4363-4254-BD57-E40A2CC6FC54} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - BHO 7: {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - BHO 8: {D457DFA8-1D96-4B01-9B2A-7385F845F3C7} (MSEvents Object)
[03/08/2007, 20:00:56] - ALERT: Found MSEvents Object!
[03/08/2007, 20:00:56] - BHO 9: {F83101F1-84A6-408D-A019-1AA64F4FF36C} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - BHO 10: {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} ()
[03/08/2007, 20:00:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:00:56] - No filename found. Continuing.
[03/08/2007, 20:00:56] - Finished Searching Browser Helper Objects
[03/08/2007, 20:00:56] - *** Detected MSEvents Object
[03/08/2007, 20:00:56] - Trying to remove MSEvents Object...
[03/08/2007, 20:00:57] - Terminating Process: IEXPLORE.EXE
[03/08/2007, 20:06:34] - Terminating Process: RUNDLL32.EXE
[03/08/2007, 20:06:35] - Disabling Automatic Shell Restart
[03/08/2007, 20:06:35] - Terminating Process: EXPLORER.EXE
[03/08/2007, 20:06:35] - Suspending the NT Session Manager System Service
[03/08/2007, 20:06:36] - Terminating Windows NT Logon/Logoff Manager
[03/08/2007, 20:06:36] - Re-enabling Automatic Shell Restart
[03/08/2007, 20:06:36] - File to disable: C:\WINDOWS\System32\awvtt.dll
[03/08/2007, 20:06:36] - Renaming C:\WINDOWS\System32\awvtt.dll -> C:\WINDOWS\System32\awvtt.dll.vir
[03/08/2007, 20:06:37] - File successfully renamed!
[03/08/2007, 20:06:37] - Removing HKLM\...\Browser Helper Objects\{D457DFA8-1D96-4B01-9B2A-7385F845F3C7}
[03/08/2007, 20:06:37] - Removing HKCR\CLSID\{D457DFA8-1D96-4B01-9B2A-7385F845F3C7}
[03/08/2007, 20:06:37] - Adding Kill Bit for ActiveX for GUID: {D457DFA8-1D96-4B01-9B2A-7385F845F3C7}
[03/08/2007, 20:06:37] - Deleting ATLEvents/MSEvents Registry entries
[03/08/2007, 20:06:37] - Removing HKLM\...\Winlogon\Notify\awvtt
[03/08/2007, 20:06:37] - Searching for Browser Helper Objects:
[03/08/2007, 20:06:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/08/2007, 20:06:37] - BHO 2: {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - BHO 3: {4E21F75D-E4BE-4D86-A90A-907011A7C153} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 20:06:37] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[03/08/2007, 20:06:37] - BHO 6: {BEED39C3-4363-4254-BD57-E40A2CC6FC54} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - BHO 7: {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - BHO 8: {F83101F1-84A6-408D-A019-1AA64F4FF36C} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - BHO 9: {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} ()
[03/08/2007, 20:06:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:06:37] - No filename found. Continuing.
[03/08/2007, 20:06:37] - Finished Searching Browser Helper Objects
[03/08/2007, 20:06:37] - Finishing up...
[03/08/2007, 20:06:37] - A restart is needed.
[03/08/2007, 20:06:57] - Attempting to Restart via STOP error (Blue Screen!)
Accessing the A:\ at startup has come back again though...
pskelley
2007-03-08, 23:06
Accessing the A:\ at startup has come back again though
Please explain what you mean by this, describe it, tell me about any error messages "word for word" or any messages from Windows at all. Post a new HJT log.
Thanks
Richdebc
2007-03-09, 12:41
Hmm, it didn't happen when I switched on the computer just now. Last time, I could hear the noise of something trying to access the (empty) floppy disk drive and a pop-up window appeared saying something like 'The A:\ is not accessible' - I'm afraid I can't remember the exact wording - with oprions to retry, cancel or something else. I'll reboot now to see if it does it next time.
pskelley
2007-03-09, 12:55
Thanks for that feedback, I requested a new HJT log we will probably have a little cleaning to do. If you get that error message, post it, also put it in Google: http://www.google.com/ word for word, you will probably get your answer. Be sure nothing is being left in any of your drives.
Thanks
Richdebc
2007-03-09, 13:11
Rebooted a couple of times and the message doesn't appear. If it does again I'll take your advice.
Something peculiar did just happen in Firefox though - I pressed the " ' " key a few times, and in each case it acted like the hotkey for find, i.e. CTRL+f. The arrow keys stopped working as well, but all are fine now.
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:09:07, on 09/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\Richdebc.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} - (no file)
O2 - BHO: (no name) - {4E21F75D-E4BE-4D86-A90A-907011A7C153} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BEED39C3-4363-4254-BD57-E40A2CC6FC54} - (no file)
O2 - BHO: (no name) - {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} - (no file)
O2 - BHO: (no name) - {F83101F1-84A6-408D-A019-1AA64F4FF36C} - (no file)
O2 - BHO: (no name) - {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{898D1BA8-F787-4780-A1EB-B98821CC94FC}: NameServer = 212.139.132.4 212.139.132.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dur.ac.uk
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
Cheers.
Richdebc
2007-03-09, 13:49
I'm going away for the weekend until Monday - visiting family, which should be nice - and won't have internet access so I won't be able to read/reply to anything here for a few days. Have a good weekend Phil!
pskelley
2007-03-09, 14:07
Cheers and have a great holiday:eek:
Let me post this great information for you now:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Unless I am missing something I do not see a realtime spyware program running, read what the experts have to say a little later, but here is freeware for your consideration:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Let's do a little cleaning and see how you are running.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08E80BA5-B2DE-4ABD-974B-4DFB0930AD24} - (no file)
O2 - BHO: (no name) - {4E21F75D-E4BE-4D86-A90A-907011A7C153} - (no file)
O2 - BHO: (no name) - {BEED39C3-4363-4254-BD57-E40A2CC6FC54} - (no file)
O2 - BHO: (no name) - {C4BF6331-B45E-45DA-BCF2-90B191BB51B8} - (no file)
O2 - BHO: (no name) - {F83101F1-84A6-408D-A019-1AA64F4FF36C} - (no file)
O2 - BHO: (no name) - {F8A1FF46-7C5D-4767-A151-EE43D83FC23F} - (no file)
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecke.../AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
(next item looks like a photo uploader, if you are sure it is safe, leave it)
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and if all it well, then you are good to go.
You should remove all of the tools we download to clean, the exception being ATF-Cleaner, you may keep that nice little tool if you wish.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
The ActiveX (016 - DPF) You will be prompted to download fresh if you ever visit the site again.
For your information: http://www.greatis.com/appdata/u/d/dap.exe.htm
Some safe programs can be found here:
http://cybercoyote.org/internet/download.shtml
http://www.safer-networking.org/en/articles/download-managers.html
http://www.spywareinfo.com/downloads.php?cat=dlman
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Cheers...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Richdebc
2007-03-13, 11:52
Everything seems to be working fine now. Thanks for all your help Phil - you're a real star!
pskelley
2007-03-16, 22:42
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.