View Full Version : Some issues to deal with...
Lord Gorlox
2007-05-20, 17:37
Hello!
My Computer has been giving me quite a run for my money the past few days! My mother doesnt know squat about computer safety and so I have had my computer infested with malware such as Smitfraud-C and its associates along with the Win32/Darksma.X and many other 'critical objects'. As I have been laboring to rid the infestation (although Smitfraud-C and Win32/Darksma.X remain), i have removed literally hundreds of things using Spybot SD, Ad-Aware, Spyware Doctor, eTrust Antivirus, and some smaller fixes that i found by browsing forums (vundofix.exe). Please help me rid my computer of these last things, I just dont have all the know-how. Here is my log from HJT.
Logfile of HijackThis v1.99.1
Scan saved at 11:24:25 AM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader\reader_sl.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackice.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nick\My Documents\My Programs\Specific Spyware Removal Tools\HJT\HijackThis_v1.99.1.exe
c:\windows\system\hpsysdrv.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21149F36-6A04-4F59-9B0F-D1EF479DC9A0} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {3CF01989-0E8F-02AC-1190-006AE7425E07} - C:\WINDOWS\system32\gqqnrvb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Nick\MYDOCU~1\MYPROG~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\kfirwjxg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A584D5F-C404-4FC8-922A-BD20BF82DD9B} - C:\WINDOWS\system32\pmnlj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: (no name) - {FC1F1603-BD10-4C8A-AF57-4E2E3D7BE277} - C:\WINDOWS\system32\efcdawu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Nick\My Documents\My Programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\lbyleyyd.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPy iBlock Monitor] C:\Documents and Settings\Nick\My Documents\My Programs\SpyIBlock\SpyiBlock_monitor.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Documents and Settings\Nick\My Documents\My Programs\Daemon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: efcdawu - C:\WINDOWS\SYSTEM32\efcdawu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\RapApp.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Documents and Settings\Nick\My Documents\My Programs\Spyware Doctor\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Documents and Settings\Nick\My Documents\My Programs\Spyware Doctor\Spyware Doctor\swdsvc.exe
Thank you for you assistance!
pskelley
2007-05-21, 14:55
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
Please review that information so we will be on the same page. You still have the Vundo infection, it can be hard to remove. Here is some information:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
1) I would like to experiment a little with you to see if we can do this in less posts that I normally use. It is important that you read and follow the directions carefully.
Since Vundofix does not update and new files are added daily, delete that tool if you still have it and download it fresh from the link I provide.
2) Spyware Doctor may block changes we much make, turn that program off until you finish.
Thanks to Atribune and any others who helped with this fix.
3) Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Here are the files I see in the HJT log and there may be more hidden the fix will find?
C:\WINDOWS\SYSTEM32\efcdawu.dllC:\WINDOWS\system32\pmnlj.dll
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(make sure all files from Vundo have been deleted, hold the reports until the end)
4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some line items may be gone, removed by the fix. Just do not miss any)
O2 - BHO: (no name) - {21149F36-6A04-4F59-9B0F-D1EF479DC9A0} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {3CF01989-0E8F-02AC-1190-006AE7425E07} - C:\WINDOWS\system32\gqqnrvb.dll (file missing)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\kfirwjxg.dll (file missing)
O2 - BHO: (no name) - {7A584D5F-C404-4FC8-922A-BD20BF82DD9B} - C:\WINDOWS\system32\pmnlj.dll
O2 - BHO: (no name) - {FC1F1603-BD10-4C8A-AF57-4E2E3D7BE277} - C:\WINDOWS\system32\efcdawu.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E3
5B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\lbyleyyd.dll",realset
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: efcdawu - C:\WINDOWS\SYSTEM32\efcdawu.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\retadpu1000272.exe <<< delete that file
C:\WINDOWS\system32\lbyleyyd.dll <<< delete that file
(if either file gives you a problem, use this tool to kill it)
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix report and a new HJT log. Add any comments you think will help.
Thanks
Lord Gorlox
2007-05-21, 22:06
Here is the VundoFix report and HJT log:
VundoFix V6.3.23
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 9:29:50 AM 5/20/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\dyyelybl.ini
C:\WINDOWS\system32\gmcoltsu.ini
C:\WINDOWS\system32\iivdautt.ini
C:\WINDOWS\system32\isiedjnl.ini
C:\WINDOWS\system32\kpdrlxjl.ini
C:\WINDOWS\system32\lbyleyyd.dll
C:\WINDOWS\system32\ljxlrdpk.dll
C:\WINDOWS\system32\lnjdeisi.dll
C:\WINDOWS\system32\mofswrno.ini
C:\WINDOWS\system32\mwpiwyew.dll
C:\WINDOWS\system32\onrwsfom.dll
C:\WINDOWS\system32\rowdlyxg.dll
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.tmp
C:\WINDOWS\system32\ttuadvii.dll
C:\WINDOWS\system32\ustlocmg.dll
C:\WINDOWS\system32\weywipwm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awtsr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dyyelybl.ini
C:\WINDOWS\system32\dyyelybl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gmcoltsu.ini
C:\WINDOWS\system32\gmcoltsu.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\iivdautt.ini
C:\WINDOWS\system32\iivdautt.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\isiedjnl.ini
C:\WINDOWS\system32\isiedjnl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\kpdrlxjl.ini
C:\WINDOWS\system32\kpdrlxjl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\lbyleyyd.dll
C:\WINDOWS\system32\lbyleyyd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljxlrdpk.dll
C:\WINDOWS\system32\ljxlrdpk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lnjdeisi.dll
C:\WINDOWS\system32\lnjdeisi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mofswrno.ini
C:\WINDOWS\system32\mofswrno.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mwpiwyew.dll
C:\WINDOWS\system32\mwpiwyew.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\onrwsfom.dll
C:\WINDOWS\system32\onrwsfom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rstwa.tmp
C:\WINDOWS\system32\rstwa.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttuadvii.dll
C:\WINDOWS\system32\ttuadvii.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ustlocmg.dll
C:\WINDOWS\system32\ustlocmg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\weywipwm.ini
C:\WINDOWS\system32\weywipwm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 3:32:15 PM 5/21/2007
Listing files found while scanning....
C:\WINDOWS\system32\efcdawu.dll
C:\WINDOWS\system32\fccywxw.dll
C:\WINDOWS\system32\gebayvs.dll
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\kfirwjxg.dll
C:\WINDOWS\system32\lbyleyyd.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\ssqomji.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\efcdawu.dll
C:\WINDOWS\system32\efcdawu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccywxw.dll
C:\WINDOWS\system32\fccywxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebayvs.dll
C:\WINDOWS\system32\gebayvs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomji.dll
C:\WINDOWS\system32\ssqomji.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 4:04:07 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader\reader_sl.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackice.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Nick\My Documents\My Programs\Specific Spyware Removal Tools\HJT\HijackThis_v1.99.1.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Nick\MYDOCU~1\MYPROG~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Nick\My Documents\My Programs\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPy iBlock Monitor] C:\Documents and Settings\Nick\My Documents\My Programs\SpyIBlock\SpyiBlock_monitor.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Documents and Settings\Nick\My Documents\My Programs\Daemon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\RapApp.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Documents and Settings\Nick\My Documents\My Programs\Spyware Doctor\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Documents and Settings\Nick\My Documents\My Programs\Spyware Doctor\Spyware Doctor\swdsvc.exe
Thank you!
pskelley
2007-05-21, 22:23
Thanks for returning your information, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
You are showing the new version > C:\Program Files\Java\jre1.6.0_01\
Remove all of those old versions in Add Remove progams. Hackers use those to exploit you and that is probably why you got infected.
O4 - HKCU\..\Run: [SPy iBlock Monitor] C:\Documents and Settings\Nick\My Documents\My Programs\SpyIBlock\SpyiBlock_monitor.exe
SpyiBlock >> see this: http://www.spywarewarrior.com/rogue_anti-spyware.htm
SpyiBlock spyiblock.com
spy-iblock.com uses flawed, inadequate detection scheme; same app as AdwareBazooka, AdwarePunisher, HitSpy, RemedyAntiSpy, SpyCut, Spyware Disinfector, SystemStable, & The SpyGuard [A: 12-21-05 / U: 12-21-05]
I would remove that junk from your computer if I were you.
Excellant job with those instructions:bigthumb: If you want a good check to make sure nothing is hidden, use the instructions in the following link to download, install, update and run AVG Anti-Spyware. Delete or quarantine anything it finds and post the scan report.
http://forums.security-central.us/showthread.php?t=3165
If you are satisfied the computer is running as it should be, then clean your System Restore files.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Lord Gorlox
2007-05-22, 07:45
Here is my final AVG report post. My system is doing great and up to speed! I believe everything is taken care of! Thank you so much for all of your help, I really appreciate it. If there is anything else serious in the future, I will not hesitate to let you know! Thank you again!
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:34:01 AM 5/22/2007
+ Scan result:
C:\WINDOWS\system32\sxbxhyiw.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP209\A0044134.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP209\A0044135.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP209\A0044136.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP209\A0044138.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\efcdawu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\fccywxw.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebayvs.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\ssqomji.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP201\A0037350.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP202\A0037489.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0037586.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0037746.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0037774.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0037775.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Program Files\music_now\inetchk.exe -> Hijacker.Small : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.25:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.10:C:\Documents and Settings\MCX1\Application Data\Mozilla\Firefox\Profiles\eaguuu2d.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.22:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.31:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.53:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.67:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.68:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.71:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.72:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.23:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.60:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.61:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.62:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.63:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.64:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.65:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.66:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.67:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.68:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.69:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.70:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.71:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.72:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.73:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.74:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.75:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.76:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.77:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.78:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.79:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.80:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.81:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.82:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.83:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.19:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.40:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.158:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.159:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.160:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.161:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.17:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.30:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.50:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.7:C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\8xtzlznj.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.25:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.26:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.27:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.28:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.29:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.30:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.31:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.24:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.29:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.81:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.44:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\y03wv4sb.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.7:C:\Documents and Settings\MCX1\Application Data\Mozilla\Firefox\Profiles\eaguuu2d.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.90:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dq5517qj.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
::Report end
pskelley
2007-05-22, 13:08
Sounds good:bigthumb: looking at the AVG Anti-Spyware scan, we need to do these:
1) Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes
2) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
3) Delete the C:\VundoFix Backups\ and any other Vundofix folders that are there.
4) Not sure how ATF-Cleaner missed those cookies, to be sure give this a try:
http://spyware-free.us/tutorials/cleanmgr/ then check here:
C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\ <<< in that folder to make sure all cookies are deleted. Here is information to help contol those cookies:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
At that point a new scan by AVG Anti-Spyware should be clean.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.