View Full Version : IE Hijacked & Virus Infection
KiwiSkydive
2007-04-16, 13:10
Hi Folks,
Seeking some help. Not sure if this is two issues or they are related.
1. Internet Explorer is being hijacked mainly to a site www.all-search-it.com/......
Whenever IE is opened it almost immediately opens another window to this or other sites. I have also noticed that when it goes to the above site, I have a button on the IE window “Please click here to Proceed to the web site”
I have been avoiding using IE much as possible, using Opera 9.2
2. also getting frequent reports from CA Anti Virus that it has found Win32/Darksma.X and deleted it. Seems of late mainly when booting up.
I have followed the instructions noted in various threads within this forum to find and remove, without success. I have downloaded and run Spybot, hijack etc. When I try and get HiJack to save the log, it exits an I'm unable to find the log.
I'm Running XP Home Ver 5.1 (Build 2600.xpsp_sp2_gdr.070227-2254 : Service Pack 2) On a Pentium 4 2.4Ghz 512Mb Ram.
Three Hard Drives C: System (8.01Gb), D: Windows & Programs (74.5Gb), E: Programs & Data (74.5Gb)
Any help/advice would be greatly appreciated. Many thanks
pskelley
2007-04-17, 16:30
G'Day and welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process. Use "Post Reply" to post the information in the instructions and stay in the same topic.
I can not say if I can help you or not until I view the information described in the above link. I can show you this:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=56877
Cheers
KiwiSkydive
2007-04-18, 12:35
Hi, Thanks for the offer to help. Yes I still need help and haven't logged this request on any other site.
Now down to the issues. I have read "the before you post" thread. With referance to #2.
Have downloaded Spybot R & D Ver 1.4
Step 1, Unable to run an on-line virus scan, have tried several, each requires to be run from IE, can go to the site not problem, but when I click the scan button nothing happens!!
Step 2 & 3, carried out and reported several problems that were fixed, I copies of the reports before and after.
Step 4, Downloaded HJT Ver 1.99.1, placed it in C:/VirusCleaning/HijackThis.
Run following directions everything appears to be working correctly until I press the Save Log button, a brief pause then the program is closed and I'm unable to locate the log file anywhere.
Below is Spybot report Normal Mode.
SpywareBOT: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-602162358-682003330-1004\Software\SpywareBot
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-602162358-682003330-1004\Software\Microsoft\aldd
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
NewsUpdate: Configuration file (File, fixed)
D:\WINDOWS\ctnet.ini
NewsUpdate: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Creative Tech\Software Installed\News
NewsUpdate: Program directory (Directory, fixed)
D:\Program Files\Creative\News\
NewsUpdate: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CTMARQ.CTMarqCtrl.1
NewsUpdate: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8614A944-FF72-11D0-9BA1-00AA00464A16}
NewsUpdate: Class ID (CTMarq Property Page) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8614A945-FF72-11D0-9BA1-00AA00464A16}
NewsUpdate: Interface (_DCTMarq) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8614A942-FF72-11D0-9BA1-00AA00464A16}
NewsUpdate: Interface (_DCTMarqEvents) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8614A943-FF72-11D0-9BA1-00AA00464A16}
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: kmjas) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
SystemDoctor2006: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
Winsoftware: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
Smitfraud-C.Toolbar888: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
LinkSynergy: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
FastClick: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
Winsoftware: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
ReliableStats: Tracking cookie (Internet Explorer: kmjas) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-04-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-11 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-11 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-11 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-11 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-11 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-11 Includes\PUPSC.sbi (*)
2007-04-11 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-11 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-11 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\Trojans.sbi (*)
2007-04-11 Includes\TrojansC.sbi (*)
Below is Spybot Report Safe mode, done after above.
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-602162358-682003330-1004\Software\Microsoft\aldd
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-04-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-11 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-11 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-11 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-11 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-11 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-11 Includes\PUPSC.sbi (*)
2007-04-11 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-11 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-11 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\Trojans.sbi (*)
2007-04-11 Includes\TrojansC.sbi (*)
So I have tried to follow the instructions but am having problems. Any suggestions where to go from here?
Thanks
pskelley
2007-04-18, 13:28
G'Day, I wish I had a fast answer for you, I need to have the informtion in the HJT log and probably an antivirus scan also, won't know until I see the HJT log. At this point I know little about your system. Do you have the Windows Operating System CD in the event reinstalling is needed?
Step 4, Downloaded HJT Ver 1.99.1, placed it in C:/VirusCleaning/HijackThis.
Run following directions everything appears to be working correctly until I press the Save Log button, a brief pause then the program is closed and I'm unable to locate the log file anywhere.Open HJT and choose "Do a System Scan and save a logfile. Wait...the logfile will be presented in Notepad form. Then click Edit > Select All at the top of that Notepad. Copy/paste the highlited information to your topic.
Try looking here: C:/VirusCleaning/HijackThis <<< in the folder you have called viruscleaning. The Notepad will say hijackthis.log. Open it and follow the proceedure I outlined above.
Please read the instructions again so you will not post information I do not need. No instructions for posting a Spybot log are given, please post only the information I request.
Cheers
KiwiSkydive
2007-04-19, 12:50
Hi,
Finally got HJT to work, here is the log.
Logfile of HijackThis v1.99.1
Scan saved at 17:38:57, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\svchost.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\INCRED~1\bin\IMApp.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\Program Files\IncrediMail\bin\IncMail.exe
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\explorer.exe
D:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
D:\Opera\Opera.exe
C:\VirusCleaning\HijackThis.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [EEventManager] D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "D:\WINDOWS\system32\sfeojlyl.dll",setvm
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
Yes I have Windows Install CD, if required.
Still having the same problem with doing an Online Virus scan, all the ones I have tried require IE Ver 4 or greater to run, they don't appear to be able to run in any other browser:banghead:
Recently on startup I have been getting the following error message.
RUNDLL
Error Loading D:/Windows/System32/sfeojlyl.dll
Specified Module could not be found.
I don't know if this is related to virus? problem.
I have run my Anti virus program CA Anti virus and it has only reported a virus that I know about JS/KAK. The file concerned is quarantined. I need to keep the file as it has important data contained it.
Trust this info assists
Thanks
pskelley
2007-04-19, 13:25
Thanks for the HJT log, let's try to do this manually first. See this:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
SpywareBot spywarebot.com
antispyware.com exploits name "Spybot Search & Destroy"; same app as AdwareAlert [A: 5-14-06 / U: 1-9-07]
Not sure what to tell you about the infected file in quarantine? I would try to disinfect it with your AV program and if that failed, delete it...your call.
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "D:\WINDOWS\system32\sfeojlyl.dll",setvm
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
E:\Program Files\SpywareBot\ <<< delete that folder
D:\WINDOWS\system32\sfeojlyl.dll <<< delete that file
Follow the directions in this link to download, install, updated and run AVG Anti-Spyware 7.5. Make sure you choose to delete or at least quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan report, a new HJT log and any coments you think will help. How is the computer running now?
Thanks
KiwiSkydive
2007-04-20, 17:58
Hi, Have followed instructions.
Comments
1 I'll keep the infected file quarantined, as it/they have been stored on my computer/s for several years and to date have not
caused a problem, thanks for the advice.
2 No changes made in Folder Options as these are my default settings.
3 Unable to locate these folders/files
E:\Program Files\SpywareBot\ <<< delete that folder
D:\WINDOWS\system32\sfeojlyl.dll <<< delete that file
These Were gone after HJT instructions followed.
4 AVG Scan report below
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:38:45 20/04/2007
+ Scan result:
E:\System Volume Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP40\A0009195.exe -> Adware.DashBar : Cleaned.
D:\System Volume Information\_restore{C461DE8B-E17A-4A6F-A17F-1F19B7A00179}\RP2\A0000337.exe ->
Not-A-Virus.Downloader.Win32.ImLoader.b : Cleaned.
E:\System Volume Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP11\A0005823.exe ->
Not-A-Virus.Downloader.Win32.ImLoader.b : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
::Report end
5 HJT Report
Logfile of HijackThis v1.99.1
Scan saved at 00:08:02, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\devldr32.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
D:\Opera\Opera.exe
D:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\VirusCleaning\HijackThis.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [EEventManager] D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA
Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
6. While the AVG scan was running CA Anti Virus reported the following.
2007/04/20 23:07:10.546 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008935.dll is Win32/Vundo!generic trojan. Deleted
2007/04/20 23:07:11.406 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008935.dll is Win32/Vundo!generic trojan.
2007/04/20 23:07:12.171 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008935.dll is Win32/Vundo!generic trojan.
2007/04/20 23:07:25.578 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP40\A0009223.exe is Win32/Chisyne.BC trojan. Deleted
2007/04/20 23:07:27.046 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP40\A0009223.exe is Win32/Chisyne.BC trojan.
2007/04/20 23:07:27.796 File infection: D:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP40\A0009223.exe is Win32/Chisyne.BC trojan.
2007/04/20 23:33:32.156 File infection: E:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008787.exe is Win32/Chisyne.BC trojan. Deleted
2007/04/20 23:33:32.828 File infection: E:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008787.exe is Win32/Chisyne.BC trojan.
2007/04/20 23:33:32.953 File infection: E:\System Volume
Information\_restore{DFA7E683-0066-4EE3-BF19-ECC1AA4C6918}\RP37\A0008787.exe is Win32/Chisyne.BC trojan.
7. Have just opened IE, and the same problem still exists, my default page About.Blank, Went to Google and as soon as Google opened, there was internet activity and the the following page opened, unrequested.
http://www.systemdoctor.com/download/2006/index.php?ax=1&ex=1&mpt=1177080562&aid=nm_ik_wav_r5&lid=&affid=nm_67277_b0dd86f2dcbb11dbb9be00167647fa98_aca45c33+1d70394b380f461c817b3d1b69deb8f3
Seems like I can only use Opera with any degree of safety.
Back to you for comments.
Thanks
pskelley
2007-04-20, 18:11
Please take a moment to read the instructions, when they are followed things will run well:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance http://forums.spybot.info/showthread.php?t=288
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
It is preferable, and the log easier to read, if you do not use the [code] or [php] options.
C:\VirusCleaning\HijackThis.exe <<< return here and rename HJT to KiwiSkydive.exe or whatever you wish. Since you are being sent to SystemDoctor, it is likely we have a Vundo infection to deal with.
Restart the computer and post a new HJT log.
Thanks
KiwiSkydive
2007-04-21, 11:21
Apologies for not correctly reading the instructions.
HJT renamed to FindInfo.exe.
Logfile of HijackThis v1.99.1
Scan saved at 17:49:52, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\svchost.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\devldr32.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Opera\Opera.exe
D:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
C:\VirusCleaning\FindInfo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tiwnmcnk.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - D:\WINDOWS\system32\ssqqnkk.dll (file missing)
O2 - BHO: (no name) - {1DB5C157-4C60-40F7-8DD7-6F85C0C404C4} - D:\WINDOWS\system32\skehilmn.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - D:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VirusCleaning\Spybot\SDHelper.dll
O2 - BHO: (no name) - {89421CE8-CF09-4DA2-8652-9095A9A503B2} - D:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EB7C9E25-BB6D-4D70-95AC-02B15F921446} - D:\WINDOWS\system32\awvtu.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [EEventManager] D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awvtu - D:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: ddayy - D:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: gebyyyw - gebyyyw.dll (file missing)
O20 - Winlogon Notify: ssqqnkk - ssqqnkk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
pskelley
2007-04-21, 14:19
Thanks, if I post information twice, I apologize, this is a tough infection to remove and instuctions need to be followed exactly. You do still have the active Vundo infection, this is what it looks like in your HJT log:
O2 - BHO: (no name) - {EB7C9E25-BB6D-4D70-95AC-02B15F921446} - D:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: awvtu - D:\WINDOWS\system32\awvtu.dll
There may be more hidden, please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
1) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
Thanks to Atribune and any others who helped with this fix.
3) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Once all Vundo "has been deleted" then move on to these instructions:
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tiwnmcnk.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - D:\WINDOWS\system32\ssqqnkk.dll (file missing)
O2 - BHO: (no name) - {1DB5C157-4C60-40F7-8DD7-6F85C0C404C4} - D:\WINDOWS\system32\skehilmn.dll
O2 - BHO: (no name) - {89421CE8-CF09-4DA2-8652-9095A9A503B2} - D:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: (no name) - {EB7C9E25-BB6D-4D70-95AC-02B15F921446} - D:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: awvtu - D:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: ddayy - D:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: gebyyyw - gebyyyw.dll (file missing)
O20 - Winlogon Notify: ssqqnkk - ssqqnkk.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Use the instructions in the link to run ANG Anti-Spyware, delte or at least quarantine anything it find and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix report, the scan report from AVG Anti-Spyware and a new HJT log.
Thanks
KiwiSkydive
2007-04-22, 10:16
Have followed instructions as requested - details below.
Action 1 Windows Defender
I have Ver 1.1.1593.0
Went to Tools - Settings - options and Unchecked "Use Real-time Protection (Recommended)
Saved and exited.
Action 2 AVG Status changed
Action 3 Vundo
Followed instructions. I note that I now have a folder D:\Vundofix Backups, with the below listed DLL's with the ext .bad
stored in it.
VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 10:59:42 22/04/2007
Listing files found while scanning....
D:\WINDOWS\system32\awvtu.dll
D:\WINDOWS\system32\daluhxru.dll
D:\WINDOWS\system32\ddayy.dll
D:\WINDOWS\system32\gebyyyw.dll
D:\WINDOWS\system32\gfthaaxg.dll
D:\WINDOWS\system32\ivwugcvi.dll
D:\WINDOWS\system32\kofjehqn.dll
D:\WINDOWS\system32\nvwiykmu.dll
D:\WINDOWS\system32\qlybxxwa.dll
D:\WINDOWS\system32\rmaiomth.dll
D:\WINDOWS\system32\spabqhpl.dll
D:\WINDOWS\system32\ssqqnkk.dll
D:\WINDOWS\system32\utvwa.bak1
D:\WINDOWS\system32\utvwa.bak2
D:\WINDOWS\system32\utvwa.ini
D:\WINDOWS\system32\uuheqhyv.dll
D:\WINDOWS\system32\wwykipqt.dll
D:\WINDOWS\system32\yyadd.bak1
D:\WINDOWS\system32\yyadd.bak2
D:\WINDOWS\system32\yyadd.ini
Beginning removal...
Attempting to delete D:\WINDOWS\system32\awvtu.dll
D:\WINDOWS\system32\awvtu.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\daluhxru.dll
D:\WINDOWS\system32\daluhxru.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\gfthaaxg.dll
D:\WINDOWS\system32\gfthaaxg.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\ivwugcvi.dll
D:\WINDOWS\system32\ivwugcvi.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\kofjehqn.dll
D:\WINDOWS\system32\kofjehqn.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\nvwiykmu.dll
D:\WINDOWS\system32\nvwiykmu.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\qlybxxwa.dll
D:\WINDOWS\system32\qlybxxwa.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\rmaiomth.dll
D:\WINDOWS\system32\rmaiomth.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\spabqhpl.dll
D:\WINDOWS\system32\spabqhpl.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\utvwa.bak1
D:\WINDOWS\system32\utvwa.bak1 Has been deleted!
Attempting to delete D:\WINDOWS\system32\utvwa.bak2
D:\WINDOWS\system32\utvwa.bak2 Has been deleted!
Attempting to delete D:\WINDOWS\system32\utvwa.ini
D:\WINDOWS\system32\utvwa.ini Has been deleted!
Attempting to delete D:\WINDOWS\system32\uuheqhyv.dll
D:\WINDOWS\system32\uuheqhyv.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\wwykipqt.dll
D:\WINDOWS\system32\wwykipqt.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\yyadd.bak1
D:\WINDOWS\system32\yyadd.bak1 Has been deleted!
Attempting to delete D:\WINDOWS\system32\yyadd.bak2
D:\WINDOWS\system32\yyadd.bak2 Has been deleted!
Attempting to delete D:\WINDOWS\system32\yyadd.ini
D:\WINDOWS\system32\yyadd.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 13:38:34, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\devldr32.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\svchost.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\notepad.exe
D:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
C:\VirusCleaning\FindInfo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tiwnmcnk.dll
O2 - BHO: (no name) - {1DB5C157-4C60-40F7-8DD7-6F85C0C404C4} - D:\WINDOWS\system32\skehilmn.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - D:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VirusCleaning\Spybot\SDHelper.dll
O2 - BHO: (no name) - {6F2BF562-4286-4D46-B309-AD0417AA6A03} - D:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {89421CE8-CF09-4DA2-8652-9095A9A503B2} - D:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [EEventManager] D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddayy - D:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: gebyyyw - gebyyyw.dll (file missing)
O20 - Winlogon Notify: ssqqnkk - ssqqnkk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
Action 4 ATF Cleaner
Downloaded yesterday and saved to C:\Virus Cleaning Does this need to be down loaded again?
Action 5 Hijackthis
Open Hijackthis.......etc.
Refer remarks in brackets at end of each line - thanks
"Quote"
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tiwnmcnk.dll (MARKED FOR FIXING & FIXED)
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - D:\WINDOWS\system32\ssqqnkk.dll (file missing) (UNABLE TO LOCATE)
O2 - BHO: (no name) - {1DB5C157-4C60-40F7-8DD7-6F85C0C404C4} - D:\WINDOWS\system32\skehilmn.dll (MARKED FOR FIXING & FIXED)
O2 - BHO: (no name) - {89421CE8-CF09-4DA2-8652-9095A9A503B2} - D:\WINDOWS\system32\ddayy.dll (file missing) (MARKED FOR FIXING & FIXED)
O2 - BHO: (no name) - {EB7C9E25-BB6D-4D70-95AC-02B15F921446} - D:\WINDOWS\system32\awvtu.dll (UNABLE TO LOCATE - had a new? entry Below)
New Entry O2 - BHO: (no name) - {6F2BF562-4286-4D46-B309-AD0417AA6A03} - D:\WINDOWS\system32\awvtu.dll (file missing) (MARKED FOR FIXING)
O20 - Winlogon Notify: awvtu - D:\WINDOWS\system32\awvtu.dll (UNABLE TO LOCATE)
O20 - Winlogon Notify: ddayy - D:\WINDOWS\system32\ddayy.dll (file missing) (MARKED FOR FIXING & FIXED)
O20 - Winlogon Notify: gebyyyw - gebyyyw.dll (file missing) (MARKED FOR FIXING & FIXED)
O20 - Winlogon Notify: ssqqnkk - ssqqnkk.dll (file missing) (MARKED FOR FIXING & FIXED)
"Unquote"
Action 6 AVG Anti Spyware
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 16:25:34 22/04/2007
+ Scan result:
D:\Documents and Settings\kmjas\Cookies\kmjas@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\kmjas\Cookies\kmjas@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
::Report end
Action 7 Restarted computer
Vundofix report above
Scan report Above
New HJT report below (after restart)
Logfile of HijackThis v1.99.1
Scan saved at 16:38:29, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\WINDOWS\system32\MsPMSPSv.exe
C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
E:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\VirusCleaning\FindInfo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - D:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VirusCleaning\Spybot\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "E:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [EEventManager] D:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\VirusCleaning\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\VirusCleaning\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - E:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
I think I have completed everything correctly.
I haven't tried IE at this stage.
Over to you - thanks
pskelley
2007-04-22, 13:10
Thanks for returning your information, great job using the tool!:bigthumb:
Action 4 ATF Cleaner
Downloaded yesterday and saved to C:\Virus Cleaning Does this need to be down loaded again?Nope...use the one you have on the Desktop, you can keep that nice tool if you wish when we remove the others we are using.
The HJT log looks clean, you may rename HJT.exe if you wish. The AVG scan report is just a couple of cookies, if you need help with those tracking cookies, look here:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Delete Vundofix completely, the junk it removed will go with the program. Let's clean the System Restore files (do you have it on?)
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some good information for you:
Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
How to prevent Malware
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
KiwiSkydive
2007-04-23, 14:48
Thanks for your help:bigthumb: Our computer now seems to be working correctly, IE hasn't sent me off to never never land Yea!!:2thumb:
System Restore was on, turned off - rebooted - turned on.
VundoFix deleted.
Thanks for the links, some interesting reading, I'll work my way through them.
Thanks once again your help and patience it has been greatly appreciated and thanks for the advice along the way:band:
Seems like I owe you a:beerbeerb:
Cheers.