View Full Version : Mutiple Issues, unable to resolve on my own.
Arryndel
2007-06-02, 01:14
For the past three days I've had multiple recurring issues that I can't seem to resolve. I've been running SB S&D, AdAware, CCleaner, and a few others (not at the same time) and keep finding items returning. I'm providing the logs for HJT, SB, AdAware and CCleaner (some in safe mode and in regular mode). I have also tried running House Call but am having an issue where I'm not able to finish the scan, I also have recently installed Windows Live OneCare which keeps finding the same TROJ_ issues and claims to repair them but they just show up again. Another issue that I am having is when the pc boots into windows (regular or safe mode) I will sometimes get an error stating szAppName: services.exe..., the file that is listed for the report is C:\Doc~1\Default\Local~1\temp\Wer37ef.dir00\services.exe.mdmp and \appcompat.txt, after clicking to close the report the pc then states that it is shutting down and gives a count down which at the end of the pc does not actually shut down but instead all desktop icons are removed as well as the task bar and I am left with a blank blue screen and must cold boot the pc for it to reboot. Thank you in advance for your assistance with these issues. Here are the logs, I can try and provide any other logs you may need.
HJT Safe Mode
Logfile of HijackThis v1.99.1
Scan saved at 2:47:49 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hnoxrdeg.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
HJT Regular Mode
Logfile of HijackThis v1.99.1
Scan saved at 2:32:02 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hnoxrdeg.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
AdAware in safe mode
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, June 01, 2007 3:02:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R173 29.05.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
6-1-2007 3:02:44 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Default\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 6-1-2007 8:46:11 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 188
ThreadCreationTime : 6-1-2007 8:46:24 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\System32\
ProcessID : 212
ThreadCreationTime : 6-1-2007 8:46:26 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 256
ThreadCreationTime : 6-1-2007 8:46:29 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 268
ThreadCreationTime : 6-1-2007 8:46:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 428
ThreadCreationTime : 6-1-2007 8:46:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 6-1-2007 8:46:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [msmpeng.exe]
FilePath : C:\Program Files\Microsoft Windows OneCare Live\Antivirus\
ProcessID : 540
ThreadCreationTime : 6-1-2007 8:46:36 PM
BasePriority : Normal
FileVersion : 1.5.1937.0
ProductVersion : 1.5.1937.0
ProductName : Microsoft Malware Protection
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 6-1-2007 8:46:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 948
ThreadCreationTime : 6-1-2007 8:47:04 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:11 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 1300
ThreadCreationTime : 6-1-2007 8:48:18 PM
BasePriority : Normal
FileVersion : 1.4.0.3
ProductVersion : 1, 4, 0, 3
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.
#:12 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1536
ThreadCreationTime : 6-1-2007 9:02:29 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@advertising[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@findwhat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 10
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
3 entries scanned.
New critical objects:0
Objects found so far: 10
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10
3:28:59 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:26:14.937
Objects scanned:221369
Objects identified:4
Objects ignored:0
New critical objects:4
SB S&D safe m ode log in next post.
Hope these are helpful to find and fix whatever issues I am having.
Arryndel
Arryndel
2007-06-02, 01:26
CCleaner in normal mode
ANALYSIS COMPLETE - (2.919 secs)
------------------------------------------------------------------------------------------
1.54MB to be removed. (Approximate size)
------------------------------------------------------------------------------------------
Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
IE Temporary Internet Files (116 files) 0.68MB
C:\Documents and Settings\Default\Cookies\default@24.244.171[1].txt 309 bytes
C:\Documents and Settings\Default\Cookies\default@89.188.16[2].txt 192 bytes
C:\Documents and Settings\Default\Cookies\default@advertising[2].txt 535 bytes
C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt 102 bytes
C:\Documents and Settings\Default\Cookies\default@c.msn[1].txt 73 bytes
C:\Documents and Settings\Default\Cookies\default@cpvfeed[2].txt 419 bytes
C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt 89 bytes
C:\Documents and Settings\Default\Cookies\default@ebay[1].txt 736 bytes
C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt 154 bytes
C:\Documents and Settings\Default\Cookies\default@forums.spybot[1].txt 371 bytes
C:\Documents and Settings\Default\Cookies\default@google[1].txt 131 bytes
C:\Documents and Settings\Default\Cookies\default@h.live[1].txt 68 bytes
C:\Documents and Settings\Default\Cookies\default@hotmail.msn[1].txt 70 bytes
C:\Documents and Settings\Default\Cookies\default@live[1].txt 332 bytes
C:\Documents and Settings\Default\Cookies\default@login.live[2].txt 176 bytes
C:\Documents and Settings\Default\Cookies\default@main.ebayrtm[2].txt 387 bytes
C:\Documents and Settings\Default\Cookies\default@msn[2].txt 98 bytes
C:\Documents and Settings\Default\Cookies\default@rad.live[1].txt 702 bytes
C:\Documents and Settings\Default\Cookies\default@svxela[1].txt 228 bytes
C:\Documents and Settings\Default\Cookies\default@thestreet[1].txt 515 bytes
C:\Documents and Settings\Default\Cookies\default@www.abcsearch[1].txt 140 bytes
C:\Documents and Settings\Default\Cookies\default@www.thestreet[2].txt 101 bytes
C:\Documents and Settings\Default\Cookies\default@www31.thestreet[1].txt 100 bytes
C:\Documents and Settings\Default\Cookies\default@yahoo[2].txt 88 bytes
Marked for deletion: C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\Default\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\Default\Local Settings\History\History.IE5\index.dat
C:\WINDOWS\TEMP\dw.log 77 bytes
C:\WINDOWS\TEMP\startdrv.exe 25.00KB
C:\WINDOWS\TEMP\TMP0000001D41730ACDA95E0923 0.50MB
C:\WINDOWS\TEMP\TMP000001D8522E330BA98A6F11 0 bytes
C:\WINDOWS\TEMP\WGAErrLog.txt 255 bytes
C:\WINDOWS\TEMP\WGANotify.settings 409 bytes
C:\DOCUME~1\Default\LOCALS~1\Temp\WER2a83.dir00\sysdata.xml 0.14MB
C:\DOCUME~1\Default\LOCALS~1\Temp\WER6747.dir00\Mini060107-01.dmp 92.00KB
C:\WINDOWS\MiniDump\Mini060107-01.dmp 92.00KB
C:\WINDOWS\system32\wbem\Logs\wbemess.log 760 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 3.11KB
C:\WINDOWS\0.log 0 bytes
C:\Documents and Settings\Default\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 348 bytes
------------------------------------------------------------------------------------------
SB S&D log is much to large for one post, but it is available is needed.
Arryndel
2007-06-02, 17:18
So far the files that have been found before the sites lock up on me are these:
House Call finds TROJ_RENOS.HT then locks up.
Ca finds Win32/SillyDl.CTT file ibhmuuf.exe, Win32/Chisyne.generic files cyxyawir.dll, cbxwwwt.dll, ddcaxyv.dll, and Win32/hostblock file host.200700517-233714.backup then the site locks up.
I'll continue trying to get House Call or Ca to complete a scan so that I can post the log here, untill then I'll try and keep a list of anything it finds before locking up again.
Hi and welcome to the Board
I'm Blade and I am going to try to help you with your problem. Please take a note of five things.
I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please download
VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt and a new
HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.
Arryndel
2007-06-03, 02:16
Hello Blade and thank you for your assistance. I ran Vundofix as your suggested, it had to run on reboot twice, here is the log and the new HJT log as well. Also over the past 2 days I've continued trying to run CA virus scan and can confirm the exact file that it freezes at every time. I'll post the file if you need that info.
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.7
Java version is 1.5.0.8
Scan started at 11:21:34 PM 2/24/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 4:49:34 PM 6/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\syvjcmdf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\byxyawu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\cbxwwwt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\ddcaxyv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\fdmcjvys.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\syvjcmdf.dll
C:\WINDOWS\system32\syvjcmdf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 4:58:51 PM 6/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\rqrpqom.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 5:13:50 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\rqrpqom.dll (file missing)
O2 - BHO: (no name) - {6859367C-F8FD-4B23-8DBA-D8871E0142C4} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BA642176-A33C-40A7-8E67-911A2D90FC4C} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\txfjydde.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\itwkwqgd.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Arryndel
2007-06-03, 03:51
Hmm seems I've found a new issue after running VundoFix, I can no longer access TrendMicro or Ca. When I try and go to the sites I get an error acting as though I don't have internet access, I have a firewall blocking them (which I shouldn't), or I simply do not have access to those particular sites any longer. It's highly possible that VundoFix has nothing to do with this new problem since I had been having problems with any messenger service that I tried to run claiming the same thing. Let me know what you think could be the cause of this new issue when you feel we've reached the that point in the cleaning process :)
Arryndel
2007-06-03, 04:46
Ca virus scan actually finished!! here is the scan results (couldn't see an option to save a log so I simply copy/pasted the results to a txt file. I hope you can read this mess LOL I tried to recreate the affect that is on the site to make it a bit more readable, hope it helps.
Scan Results: * 76269 files scanned. 11 viruses were detected.
File Infection Status Path
lo1[1] Win32/Vundo!generic deleted C:\Documents and settings\Default\Local Settings\Temporary Internet Files\Content.IE5 \1VCK7Q47\
byxyawu.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\
cbxwwwt.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\
ddabb.dll.bad Win32/Vundo!generic deleted C:\VundoFix Backups\
ddcaxyv.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\
geedb.dll.bad Win32/Vundo!generic deleted C:\VundoFix Backups\
rqrpqom.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\
syvjcmdf.dll.bad Win32/Vundo.CR deleted C:\VundoFix Backups\
ibhmiyf.exe Win32/SillyDl.CTT deleted C:\WINDOWS\
hosts.20070517-233714.backup Win32/Hostblock cured C:\WINDOWS\system32 \drivers\etc\
uzcx.exe Win32/Eipinp.V deleted C:\WINDOWS\system32 \drivers\
Arryndel
2007-06-03, 06:15
Managed to get House Call to finish scanning but it hangs at deleting, here is the list of items that were found (again I can't find an option to save a log for this site):
House Call Scan on 6-2-07
ADWARE_BESTOFFERS (x1)
SPYWARE_TRAK_ESPYNOW.200 (x1)
ADWARE_BHOT_IEHELPER (x1)
ADWARE_MEDIAMOTOR (x2)
RAP_GENERIC (x2)
TSPY_SMALL (x6)
ADWARE_ALWAYSUPDATENEWS (x1)
ADWARE_SAFESURF (x1)
HTTP Cookies (x30)
Detected Vulnerabilities
MS04.043
(MS07.016) Cumulative Security Update for Internet Explorer (928090)
Done
I also wrote down the file locations for each of these if that info is needed. Since House Call seems to be having trouble deleting these items I'm assuming I'll have to go through and manually delete each one. I'll wait until I'm told to do so by you, the expert ;)
hi
Still something to do.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\txfjydde.dll
C:\WINDOWS\system32\eddyjfxt.*
Click Add Files and Click Close Window
Repeat with these entries
C:\WINDOWS\system32\itwkwqgd.dll
C:\WINDOWS\system32\dgqwkwti.*
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.
Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\rqrpqom.dll (file missing)
O2 - BHO: (no name) - {6859367C-F8FD-4B23-8DBA-D8871E0142C4} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BA642176-A33C-40A7-8E67-911A2D90FC4C} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\txfjydde.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\itwkwqgd.dll",realset
Close browsers and other windows. Click fix checked.
==============================
Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete if found:
C:\WINDOWS\system32\ltxfjydde.dll
C:\WINDOWS\system32\itwkwqgd.dll
Running temp cleaner & AVG Anti-Spyware
---------------------------------------
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Post
-contents of c:\vundofix.txt
-AVG Anti-Spyware log
-a fresh HJT log.
Arryndel
2007-06-03, 20:36
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.7
Java version is 1.5.0.8
Scan started at 11:21:34 PM 2/24/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 4:49:34 PM 6/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\syvjcmdf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\byxyawu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\cbxwwwt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\ddcaxyv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\fdmcjvys.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\syvjcmdf.dll
C:\WINDOWS\system32\syvjcmdf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 4:58:51 PM 6/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\rqrpqom.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 10:52:06 PM 6/2/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 9:51:40 AM 6/3/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\itwkwqgd.dll
C:\WINDOWS\system32\itwkwqgd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\txfjydde.dll
C:\WINDOWS\system32\txfjydde.dll Has been deleted!
Performing Repairs to the registry.
Done!
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:22:57 AM 6/3/2007
+ Scan result:
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP22\A0027144.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008486.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008487.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008652.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008668.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AbsoluteHttp.dll -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8E8653F1-34CA-4473-AE37-138ED27760AD} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{BD1D0EFE-F49E-4EC8-95AC-224BC4FD2211} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP22\A0036720.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046522.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046523.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046525.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046532.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP17\A0017484.dll -> Downloader.Agent.bhg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017561.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017570.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017566.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017558.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008651.exe -> Downloader.PurityScan.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021564.exe -> Downloader.Small.cul : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049478.exe -> Downloader.Small.cul : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021555.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP16\A0014260.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017571.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017562.exe -> Downloader.VB.att : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017560.exe -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017568.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049477.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.aq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lzx32.sys -> Hijacker.Costrat.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017555.exe -> Hijacker.Costrat.at : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP16\A0016371.sys -> Logger.Goldun.ph : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP21\A0022492.dll -> Logger.Goldun.ph : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021552.dll -> Logger.Nukulus.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021553.dll -> Logger.Nukulus.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021563.exe -> Not-A-Virus.Hoax.Win32.Renos.fi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021560.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017556.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017557.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017559.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049530.sys -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017569.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP6\A0007225.exe -> Proxy.Dlena.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021559.dll -> Proxy.Nukulus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021554.exe -> Proxy.Xorpix.ba : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021561.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021557.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021558.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017565.exe -> Trojan.VB.nhr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021556.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021562.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vexga8me6.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 11:31:28 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Ready for next step :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.freebyte.com/antivirus/#scanners) to choose one
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
http://images.malwarecomplaints.info/logo/MWC-logoplus4.gif (http://www.malwarecomplaints.info)
Please take the time to go and complain - that forum has a topic for your infection which is Vundo please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade
Arryndel
2007-06-03, 22:23
I am still having two problems that I know of right off the bat after trying them again, First and most importantly is that I can not access the windows update site. When trying to access it I get an error and IE shuts down, here is the error:
AppName: iexplorer.exe AppVer: 7.0.6000.16441 ModName: wuweb.dll ModVer: 5.8.0.2469 Offset 0018003
Technical Info - File in Report
c:\Docume~1\Default\Locals~1\Temp\ebea_appcompat.txt
Of course there is alot more to the technical info and is too much to type into here without the ability to copy/paste it. Hopefully you are able to understand this info and have an idea what the problem is (I'm clueless lol)
The other problem that I'm still experiencing is the inability to run some items on my comp, so far the only ones I've tried are two games, one of which is a closed beta and therefor I'm unable to disclose the name of it, but the closed beta I was able to reinstall and is once again working, the other game is DungeonRunners and is still not working after reinstall. Before finishing the cleaning process both games gave an error when trying to run them even after uninstalling, cleaning all left over files and reinstalling. The beta reinstalled with out a problem and is running fine, DungeonRunners however reinstalled but when I click on the game icon to run it nothing happens, that is to say that my curser gets the hourglass for a few short seconds and then nothing, I checked task manager and there is no process running for it that I can see. Even my messenger programs are once again working properly, no more errors stating that I have a firewall blocking them while the firewall is turned off.
Also, due to so many files being deleted (many of which I deleted with CCleaner before contacting you) I've tried running Recuva (recomended by CCleaner) and it hangs at Current Progress 42.9%, 28069 files found. From that point the program seems to do nothing more and just hangs there untill I cancel and close it.
I'm not sure if these issues are due to files that I deleted while trying to clean the pc or if it's from a lingering problem that I've not yet taken care of.
And thank you ever so much for your assistance, you've been a tremendous help.
Hi
I believe these two problems are not malware related. Have you defragged hard drive(s) lately? If you haven't, do so.
Our forum concentrates mainly on malware issues so I advise you to ask help to these problems for example at PC Pitstop (http://forums.pcpitstop.com/index.php?). :)