View Full Version : Pop Ups, RUNDLL errors, Themida pop-ups, CID Popups
celluloidheros
2007-04-02, 13:36
Hello, I made the mistake of downloading a file using Bittorrent since then, my computer has been doing 4-5 odd things and is very slow. i read the Sticky's and RAN SB 1.4 in Safe Mode, Ran Panda, Vundo.fix, Smitfraudfix, It seemed to help some but i still have some issues.
Here is the Active Scan report
Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\sqqugtfj.dll.bad
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Don Crandall\Local Settings\Temp\bisA.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@hitbox[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@stats1.reliablestats[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@advertising[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.dist.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.belnk.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[www.systemdoctor.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[stats1.reliablestats.com/]
2,3) I rand SB 1.4 in SAFE Mode and it removed 10 or so items.
4) Hijack This Log file
Logfile of HijackThis v1.99.1
Scan saved at 7:20:12 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\msngr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJK ThiS\HijkThis.exe
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - C:\WINDOWS\system32\vtuvsqr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\sqqugtfj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AC2E0F4E-6D3F-4896-9B47-B16E08BC260D} - C:\WINDOWS\system32\vtsqr.dll
O2 - BHO: (no name) - {DB79A386-1ADF-4218-BDE6-25DD2CA739B4} - C:\WINDOWS\system32\gebca.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll
O20 - Winlogon Notify: vtuvsqr - C:\WINDOWS\SYSTEM32\vtuvsqr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe
5) Here is the Smitfraud log
SmitFraudFix v2.162
Scan done at 19:48:44.04, Sun 04/01/2007
Run from C:\Documents and Settings\Don Crandall\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix
Description: SiS 900 PCI Fast Ethernet Adapter
DNS Server Search Order: 24.92.226.9
DNS Server Search Order: 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix
Description: SiS 900 PCI Fast Ethernet Adapter
DNS Server Search Order: 24.92.226.9
DNS Server Search Order: 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
6)
Here is the Vundofix log, The VUNDO fix seemed to do more than anything.
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 12:06:49 PM 4/1/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\acbeg.bak1
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini2
C:\WINDOWS\system32\acbeg.tmp
C:\WINDOWS\SYSTEM32\byxyyvw.dll
C:\WINDOWS\SYSTEM32\cbxxwxx.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\SYSTEM32\gebxywv.dll
C:\WINDOWS\SYSTEM32\khffgfd.dll
C:\WINDOWS\SYSTEM32\ljjjhfd.dll
C:\WINDOWS\SYSTEM32\ljjkiii.dll
C:\WINDOWS\SYSTEM32\sqqugtfj.dll
C:\WINDOWS\SYSTEM32\ssqrqon.dll
C:\WINDOWS\SYSTEM32\wvuusqq.dll
C:\WINDOWS\SYSTEM32\xxyxvvv.dll
C:\WINDOWS\SYSTEM32\yayyyvw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\acbeg.bak1
C:\WINDOWS\SYSTEM32\acbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\acbeg.ini2
C:\WINDOWS\system32\acbeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\acbeg.tmp
C:\WINDOWS\system32\acbeg.tmp Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\byxyyvw.dll
C:\WINDOWS\SYSTEM32\byxyyvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\cbxxwxx.dll
C:\WINDOWS\SYSTEM32\cbxxwxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebca.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\gebxywv.dll
C:\WINDOWS\SYSTEM32\gebxywv.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\khffgfd.dll
C:\WINDOWS\SYSTEM32\khffgfd.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\ljjjhfd.dll
C:\WINDOWS\SYSTEM32\ljjjhfd.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\ljjkiii.dll
C:\WINDOWS\SYSTEM32\ljjkiii.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\sqqugtfj.dll
C:\WINDOWS\SYSTEM32\sqqugtfj.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\ssqrqon.dll
C:\WINDOWS\SYSTEM32\ssqrqon.dll Could not be deleted.
Attempting to delete C:\WINDOWS\SYSTEM32\wvuusqq.dll
C:\WINDOWS\SYSTEM32\wvuusqq.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvvv.dll
C:\WINDOWS\SYSTEM32\xxyxvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\yayyyvw.dll
C:\WINDOWS\SYSTEM32\yayyyvw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\ssqrqon.dll
C:\WINDOWS\SYSTEM32\ssqrqon.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 8:02:31 PM 4/1/2007
Listing files found while scanning....
No infected files were found.
7) I am getting a RUNDLL Error that says Error loading A(with a little line on top) Y (with 2 dots on top) and then a square symbol so it says "error loading "aysquare"
8) I am getting a Themida pop-up that says a program is protected with this and can only be open for 20 minutes.
9) The CID Pop-ups seem to have stopped but other IE6 Popups are still happening.
Thanks in advance for all of your help. Celluloidheros
pskelley
2007-04-02, 16:43
Welcome to the forum, let me start you off with this information:
http://torrentfreak.com/bitroll-bittorrent-client-installs-malware/
Well, you have a mess, there is a Vundo infection that can be tough to get rid of, but this is the one that concerns me:
C:\WINDOWS\msngr.exeO23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe
http://www.castlecops.com/o23list-2446.html
http://www.virusbuster.hu/en/viruslab/descriptions/small.gcj
I have not encountered this trojan before, but the information makes it a lot more dangerous than Vundo creating popups. I really need to give you this information, because this is a backdoor trojan.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thanks
Here is some recent information about Vundo:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
celluloidheros
2007-04-02, 18:48
Hello, and thanks for the help. I really don't keep any important banking info on this computer, I do however access my back account once in awhile to pay bills. Are you saying that it is not possible to clean my computer and that a fresh Windows XP load is the best way to get going ? I hesitate to do this only because to get back alkl the programs that i have downloaded over the years may take some time but I am woilling to do it if I must.
Many of these logs were taken before i tried to remove the issues. Is there a chnace that I can try to clean out the infection and then relook at the logs ?
I did not try to fix the issues with Panda or Trendline.
You guys are the experts so I will do what you say. If i need to reformat, i need to get all the disks that I will ned to relaod programs.
Thanks, CH
pskelley
2007-04-02, 19:12
I am sorry if I confused you, this stuff is new to me also. I have removel malware for years, but this new stuff is another ballgame. Criminals around the worrld are involved and all I can do is give you the information and the suggestions of experts. I can help remove the junk, I just can never guarantee your computer will be safe. There is a load of information online to help you decide, use Google to search. While it appears you may have removed Vundo, and it is a real piece of junk, it is not the backdoor trojan.
This is all of the information that seems to be available for this trojan right now, read the information to help you decide:
http://www.google.com/search?hl=en&q=Backdoor.Small.GCJ&btnG=Google+Search
Here is a good link to help you think about what can be done.
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
If you want me to help you clean the junk, post that request along with a fresh HJT log.
Thanks
celluloidheros
2007-04-02, 21:35
HI PSKelly, Thanks for the info. When I get home I will rerun the programs and post new logs. I am getting this odd error that says RUNDLL erros cannot load "AYSquare" The A has an accent line on top, the Y has the two umloud dots on top and the square is an actual picture of a square. I am not sure how to clean with each of these programs but will do my besta nd post another log file from each. thanks, CH
pskelley
2007-04-02, 22:07
I am going to suggest, if you want to clean the computer, you do nothing but run and post a HJT log.
Thanks
celluloidheros
2007-04-02, 22:13
Great PSKELLY, got it, will be home in an Hour and will RUN HJK.exe and postthe logfile for you to look at. At least my work computer here is running well.
What is it about HJK that makes it the info program of choice ? I know that it runs very fast but does not seem to be going through all areas of the computer just certain key areas.
Thanks again, Celluloidheros
celluloidheros
2007-04-03, 03:13
Hello, I ran Vundo and all the dll files that it removed were there again so they must be reloading. there was one like vtuvsQr.dll that could only be removed when i rebooted. the files then try to reinstall but my spyware guard stops them. here is the HJK file, i selected the msngr.exe file and hit the fix button.
Logfile of HijackThis v1.99.1
Scan saved at 9:11:23 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJK ThiS\HijkThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\sqqugtfj.dll (file missing)
O2 - BHO: (no name) - {6E56538B-4D8B-42FE-B362-6B0CF52FCF97} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A1B2BEC5-8E3B-48BD-A232-A945BC836CCa} - C:\WINDOWS\system32\wwojokki.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AC2E0F4E-6D3F-4896-9B47-B16E08BC260D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {DB79A386-1ADF-4218-BDE6-25DD2CA739B4} - C:\WINDOWS\system32\gebca.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe
2) Here is the active scan log, i did not buy the panda fix to remove these
Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\sqqugtfj.dll.bad
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don Crandall\Desktop\SmitfraudFix\Process.exe
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@ads.addynamix[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@advertising[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@stat.onestat[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.dist.belnk.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[ad.yieldmanager.com/]
I will post the Vundofix log when i run it again, Thanks for your help. CH
celluloidheros
2007-04-03, 03:15
I noticed that my IE6 browser is trying to just to the WINantispyware site it must still have a bug that's doing this, it's funny a bug that is trying to take me to a site that will remove it . THX, CH
celluloidheros
2007-04-03, 05:34
here is the trend micro sys cleaner log
/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/
2007-04-02, 22:29:06, Auto-clean mode specified.
2007-04-02, 22:29:06, Running scanner "C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\TSC.BIN"...
2007-04-02, 22:29:17, Scanner "C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\TSC.BIN" has finished running.
2007-04-02, 22:29:17, TSC Log:
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Custom File Info Panels\Sample File Info Panels\l": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Optional Plug-Ins\Ffactory\Transparency Examples\ml": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Optional Plug-Ins\Photoshop Only\File Formats\": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Optional Plug-Ins\Photoshop Only\HSBHSL\": The system cannot find the file specified.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Optional Plug-Ins\Photoshop Only\Optional Extensions\\\": Not enough storage is available to process this command.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Horizontal Blue & Gray\*.*": Not enough storage is available to process this command.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Horizontal Dark\.*": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Horizontal Frame\.*": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Horizontal Light\.*": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Horizontal Patterned\.*": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Table\images\.*": The system cannot find the path specified.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Table - Blue\.*": The system cannot find the path specified.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Vertical Frame\.*": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Vertical Slide Show 1\.*": Not enough storage is available to process this command.
2007-04-02, 22:29:20, An error was detected on "C:\Documents and Settings\Don Crandall\My Documents\Azureus Downloads\torrent\Adobe Photoshop CS2\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen\Goodies\Web Photo Gallery Templates\Vertical Slide Show 2\": The filename or extension is too long.
2007-04-02, 22:29:20, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2007-04-02, 22:56:35, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:29:20
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP476\A0055614.exe [BKDR_Generic]
42771 files have been read.
42771 files have been checked.
38535 files have been scanned.
70266 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:35
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:35, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:29:20
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
Success Clean [ BKDR_Generic]( 1) from C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP476\A0055614.exe
42771 files have been read.
42771 files have been checked.
38535 files have been scanned.
70266 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:35 27 minutes 14 seconds (1633.58 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:35, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:29:20
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
42771 files have been read.
42771 files have been checked.
38535 files have been scanned.
70266 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:35 27 minutes 14 seconds (1633.58 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:35, Scanner "C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN" has finished running.
2007-04-02, 22:56:42, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:56:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
348 files have been read.
348 files have been checked.
134 files have been scanned.
134 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:42
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:42, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:56:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
348 files have been read.
348 files have been checked.
134 files have been scanned.
134 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:42 3 seconds (2.67 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:42, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/2/2007 22:56:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 385 (172515 Patterns) (2007/04/02) (438500)
Command Line: C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Don Crandall\Desktop\trend sys clean
348 files have been read.
348 files have been checked.
134 files have been scanned.
134 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/2/2007 22:56:42 3 seconds (2.67 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-04-02, 22:56:42, Scanner "C:\Documents and Settings\Don Crandall\Desktop\trend sys clean\VSCANTM.BIN" has finished running.
here is the panda log
Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\sqqugtfj.dll.bad
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don Crandall\Desktop\SmitfraudFix\Process.exe
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@ads.addynamix[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@advertising[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Don Crandall\Cookies\don crandall@stat.onestat[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[.dist.belnk.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Don Crandall\Application Data\Mozilla\Firefox\Profiles\oah2x1ml.default\COOKIES.TXT[ad.yieldmanager.com/]
Thanks again, CH
pskelley
2007-04-03, 12:59
Thanks for returning your HJT log and the feedback. Vundo is a particularly hard item to remove, so much is hidden and if you must kill it all. That being said, please read these instructions and follow them carefully and exactly.
Thanks to andymanchesta and anyone else who helped with the fix.
1) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Thanks to Atribune and any others who helped with this fix.
2) Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Have been deleted"
Here is the Vundo infection that is showing in your HJT log.
O2 - BHO: (no name) - {6E56538B-4D8B-42FE-B362-6B0CF52FCF97} - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Restart the computer and post the Report.txt from SDFix, the C:\vundofix.txt, a new HijackThis log and any comments you think will help. We will have more to do.
Thanks
For your information:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
celluloidheros
2007-04-03, 14:51
Wow I really appreciate all of your special help, I will not be home until 5 pm EST tonight and I will start then, thanks again. CH
celluloidheros
2007-04-04, 02:55
okay here goes, thanks for helping me in my hour of need !
--------------------------------------------------------------------------
SD.fix log
SDFix: Version 1.76
Run by Don Crandall - Tue 04/03/2007 - 19:01:06.93
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
WSMSPSVC
ImagePath:
"C:\WINDOWS\msngr.exe"
WSMSPSVC Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\msngr.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ad Muncher\\AdMunch.exe"="C:\\Program Files\\Ad Muncher\\AdMunch.exe:*:Enabled:AdMunch"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Program Files\DssEvolution.com\KeyRipper\Setup.ini
C:\Program Files\DssEvolution.com\KeyRipper\Setup.exe
C:\Documents and Settings\Don Crandall\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP472\A0049317.dll
C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP472\A0049318.dll
C:\Program Files\DssEvolution.com\KeyRipper\Setup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Don Crandall\Desktop\msgr\msngr.exe
C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP472\A0049316.exe
C:\System Volume Information\_restore{5F49E82A-9B2F-45C6-8A63-00DC595EED65}\RP472\A0049319.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL0857.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL0282.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL0006.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL3829.tmp
C:\Documents and Settings\Don Crandall\Application Data\Microsoft\Word\~WRL3395.tmp
Finished
--------------------------------------------------------------------------
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 9:16:38 PM 4/2/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\awtqo.dll
C:\WINDOWS\SYSTEM32\gebawww.dll
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\SYSTEM32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\SYSTEM32\yayyvvs.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\awtqo.dll
C:\WINDOWS\SYSTEM32\awtqo.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\gebawww.dll
C:\WINDOWS\SYSTEM32\gebawww.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\oqtwa.ini2
C:\WINDOWS\SYSTEM32\oqtwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\oqtwa.tmp Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\yayyvvs.dll
C:\WINDOWS\SYSTEM32\yayyvvs.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:09:12 PM 4/2/2007
Listing files found while scanning....
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 11:13:51 PM 4/2/2007
Listing files found while scanning....
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 11:48:08 PM 4/2/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.11
Scan started at 7:26:51 PM 4/3/2007
Listing files found while scanning....
No infected files were found.
-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:55:25 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJK ThiS\HijkThiss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\sqqugtfj.dll (file missing)
O2 - BHO: (no name) - {6E56538B-4D8B-42FE-B362-6B0CF52FCF97} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A1B2BEC5-8E3B-48BD-A232-A945BC836CCa} - C:\WINDOWS\system32\wwojokki.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AC2E0F4E-6D3F-4896-9B47-B16E08BC260D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {DB79A386-1ADF-4218-BDE6-25DD2CA739B4} - C:\WINDOWS\system32\gebca.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--------------------------------------------------------------------------
SmitFraudFix v2.162
Scan done at 20:05:32.90, Tue 04/03/2007
Run from C:\Documents and Settings\Don Crandall\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: SiS 900 PCI Fast Ethernet Adapter
DNS Server Search Order: 24.92.226.9
DNS Server Search Order: 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDA00FD2-2DFE-4B7C-ACFE-BA9A465FED7F}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2007-04-04, 12:11
Thanks for returning your information, I need to tell you that I never requested that you run Smitfraudfix, the fix can damage your Desktop when run on a uninfected machine. Please follow my directions exactly.
1) C:\Program Files\Java\jre1.5.0_11\ please check your Java progam for an update asasp.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\sqqugtfj.dll (file missing)
O2 - BHO: (no name) - {6E56538B-4D8B-42FE-B362-6B0CF52FCF97} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {A1B2BEC5-8E3B-48BD-A232-A945BC836CCa} - C:\WINDOWS\system32\wwojokki.dll
O2 - BHO: (no name) - {AC2E0F4E-6D3F-4896-9B47-B16E08BC260D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {DB79A386-1ADF-4218-BDE6-25DD2CA739B4} - C:\WINDOWS\system32\gebca.dll (file missing)
(if you know why the next item is there, you may leave it)
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
(you may check and remove any of the O16 - DPF: items you are done with)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\wwojokki.dll <<< delete that file if there
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running now.
Thanks
celluloidheros
2007-04-04, 14:30
Hello, I want to thank you again for the help. Everything went okay except it would npot let me delete the file (C:\WINDOWS\system32\wwojokki.dll ). It would let me rename it but I put it back to it's original name as you did not tell me to rename it. I also noticed that the computer is shuting down and rebootingf very slow, at first I thought a program was running but i rebooted a few times. i takes about 10 minutes to turn off and 10 or more to turn back on again. i wonder if my Microsoft bootvis program is malfunctioning or corruptted ? anyway i stayed home from work for an hour or so to try to get a jump on this. The pop-ups seem to have gone away, thanks for that ! i will come back at 12 noon to see how it's running. here is the HJk log.
Logfile of HijackThis v1.99.1
Scan saved at 8:30:55 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJK ThiS\HijkThiss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
pskelley
2007-04-04, 14:59
Thanks for the feedback, the file is probably running and Windows does not know the good ones from the bad one. Safe Mode will normally allow you to delete it, but let's try this tool:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\wwojokki.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
Try this for a corrupted file, just in case:
http://www.updatexp.com/scannow-sfc.html
Have a look at this information:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.aumha.org/win4/a/shutdown.php
http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Windows-Shutdown.html
The HJT log appears clean of malware, the information here may help you:
Managing the Programs That Run When Windows Starts Up
http://www.netsquirrel.com/msconfig/
http://vlaurie.com/computers2/Articles/startup.htm
After a nasty infection like this, you want to do a complete maintenance on the computer.
Thanks
celluloidheros
2007-04-04, 21:43
Hello, i have performed the tasks you mentioned and the wwojokki.dll files seems to be deleted. I noticed that HjKThis has made backups of the files that i deleted, should i get rid of these ?
here is my system info:
AMP Athelon XP 2400+ 2.01 GHZ 1 GB RAM
it seems that the Pop-ups etc.. are gone, the biggest issue is the shutdown/boot up time. I read the articles you posted and tried some of the fixes, so far no luck. I am timing the cycle to get an idea of how long it takes. To restart takes about 20 minutes total to come back up fully.
Here is the HJK log.
Logfile of HijackThis v1.99.1
Scan saved at 3:37:31 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HJK ThiS\HijkThiss.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
I will keep trying to get the computer to boot quicker, thanbks for your help ! If there is anything that I can do to help you or other people let me know. THX, CH
The SDFIX.EXE really seemed tpo work great along with your instructions
pskelley
2007-04-04, 22:08
Delete all of the tools we used for the fix, the one exception being ATF-Cleaner. You may keep that nice small tool if you wish. Let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
You may have another problem besides malware, run a free diagnostic here:
http://www.pcpitstop.com/ If you don't understand the results register free and post your questions here:
http://pcpitstop.invisionzone.com/index.php?showforum=6
Here is a tutorial if it helps: http://www.pcpitstop.com/techexpress/howto1.asp
When you get the results post a link to them for me to view, I may spot something.
Thanks
celluloidheros
2007-04-04, 22:41
Great work everyone, i'll do as instructed and post results. Thanks, CH
celluloidheros
2007-04-04, 23:02
One thing i just noticed is that when i do a ctrl alt del to bring up the task manager, the top part with the 3 tabs is missing for some reason ? I can see the three buttons (end task, switch to and new task) the tabs on the top are gone ? I can still close it by right clicking the icon in the sys tray. Thanks again, CH
pskelley
2007-04-04, 23:17
Have a look here: http://www.kellys-korner-xp.com/xp.htm
Click on "Tweaks" to your left.
celluloidheros
2007-04-05, 17:12
Thanks, i found out that the task manager can run in minimized mode and if you double click the top right border it all come back, I must have accidentally git it into this mode. I need a little more time to go through my computer to run the PC pitstop etc.. to see if it totally better. Much Thanks to all that helped me, awesume job. CH
pskelley
2007-04-15, 12:39
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks