View Full Version : Smitfraud-C.Toolbar888 and Virtumonde can't be removed.
Hi,
I have run Spybot S&D numerous times, including in windows Safe mode.
I keep getting Smitfraud-c.Toolbar888 and Virtumonde every time i scan. Even with the scan done directly after a re-boot. Spybot S&D fails to remove the Virtumonde malware.
I don't have many pop-ups at the moment.
I have installed Windows Defender, and I might get up to 3 IExplorer windows pop-up during the day. (btw I have this problem on my work PC)
The PC is defintely slower, but I think most of this may be to Windows Defender checking every program before it launchs. (?????)
Windows Defender has been useful (or, so it apears) as it claims to have stopped and removed a few password stealers.
ALSO, I am using Opera to browse since the pop-ups began, so perhaps thats one reason the pop-ups have reduced.
Any help would be appreciated.
Thank you.
Yuggy8
pskelley
2007-06-19, 16:44
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
If you have not resolved your issues elsewhere, please do this:
1) Make sure Spybot is fully immunized as well as updated:
http://www.it.northwestern.edu/security/spyware/win-spybot-immunize.html
2) Spybot is a great program if used correctly, but it will not remove a Vundo infection, few programs will.
3) Follow the direction I posted which are also Pinned to the top of the forum and when it comes time to download HJT use these instructions.
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply
4) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Post that HJT log and uninstall list, add any comments you think will help.
Thanks
Thanks for your help! Much appreciated.
1) Spybot S&D updated and immunized.
2) HJT Trend micro version downloaded, installed in Program Files directory.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:22:57 AM, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\TEMP\PD6C3C.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ACAD2000\acad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {158E6349-DDC9-4CAD-96B1-1303B6DD9448} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\otgntixs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B71FA585-B351-4E48-8DA8-22F6F705EC73} - C:\WINDOWS\system32\iifgfgh.dll
O2 - BHO: (no name) - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pxebgins.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://serversbs:8080/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://serversbs:8080/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150152171929
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\Software\..\Telephony: DomainName = Colpro.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Colpro.local
O20 - Winlogon Notify: iifgfgh - C:\WINDOWS\SYSTEM32\iifgfgh.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: winvfv32 - C:\WINDOWS\SYSTEM32\winvfv32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 10924 bytes
********************************************************
Uninstall_list log file:
Adobe Acrobat 5.0
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player
Apple Software Update
AutoCAD 2000
AutoCAD 2000 Migration Assistance
AutoCAD 2007 - English
Autodesk DWF Viewer
Battle of Europe
BlazeDTV 2.1
Call of Duty Game of the Year Edition
Canon IXY 300a, PowerShot S330, IXUS 330 WIA Driver
CD To MP3 WAV Maker 2.00
COSMOSFloWorks 2006 sp0
COSMOSM 2.95 (2005/180)
COSMOSMotion 2006 sp0
COSMOSWorks 2006 sp0
Crystal Merge Modules
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eDrawings 2006
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
ICQ 5.1
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Outlook 2003
Microsoft Project 98
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN Messenger 7.5
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
NA-27 Datalink
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
NvMixer
Opera 9.21
PC Connectivity Solution
Plate 'n' Sheet Professional
PowerISO
QuickTime
Rule the Rail!
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.0
Soldier of Fortune II - Double Helix
SolidWorks 2001
SolidWorks 2006 SP0
SolidWorks Explorer
Spybot - Search & Destroy 1.4
Strand7 Release 2.2.5
Trend Micro Client/Server Security Agent
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
WeldPrint
Windows Defender
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Thank you.
pskelley
2007-06-20, 03:58
Thanks for returning your information and the feedback, you do indeed have a Vundo infection, first the uninstall list.
Uninstall List:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version of Java, then uninstall all old versions in Add Remove Programs.
Pretty nasty infection, here is some information about Vundo:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
and Vundo is not all you are infected with, read about this one:
smanager.7.exe
http://fileinfo.prevx.com/fileinfo.asp?PXC=e1ca93053549
There is more, I suggest you keep this computer offline except when troubleshooting until you are clean.
Please read and follow the directions carefully, those that do have few problems removing this junk.
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks
pskelley
1) VundoFix procedures done to the letter. log file below.
2) new HJT log file.
3) I'm confused??
Quote:
"If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com"
I don't understand the above section of the instructions? How do i know if there is a file VundoFix doesn't find?
4) I am running Windows Defender.
5) I have had my computer denied acces to the internet and vice versa. I can access the internet via a terminal server on our network using remote desktop. So until you say otherwise it will stay offline. That includes me posting on these forums.
6) All old Java updates have been uninstalled. Only latest Java installed.
Thanks again.
**********************************************************
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.11
Scan started at 1:28:32 PM 20/06/2007
Listing files found while scanning....
C:\windows\system32\ddcbcby.dll
C:\WINDOWS\system32\dellextw.dll
C:\windows\system32\eryywjro.dll
C:\windows\system32\gebyxxx.dll
C:\WINDOWS\system32\iifgfgh.dll
C:\windows\system32\jcrnbanl.dll
C:\windows\system32\lnabnrcj.ini
C:\WINDOWS\system32\lswxvqmk.dll
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\otgntixs.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pxebgins.dll
C:\windows\system32\safuxxqw.dll
C:\windows\system32\snigbexp.ini
C:\windows\system32\ssqrpop.dll
C:\windows\system32\stlkvcuo.dll
C:\WINDOWS\system32\usskfifm.dll
C:\windows\system32\vtutrst.dll
C:\windows\system32\wqxxufas.ini
C:\windows\system32\ycpdxowi.dll
Beginning removal...
Attempting to delete C:\windows\system32\ddcbcby.dll
C:\windows\system32\ddcbcby.dll Has been deleted!
Attempting to delete C:\windows\system32\eryywjro.dll
C:\windows\system32\eryywjro.dll Has been deleted!
Attempting to delete C:\windows\system32\gebyxxx.dll
C:\windows\system32\gebyxxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifgfgh.dll
C:\WINDOWS\system32\iifgfgh.dll Could not be deleted.
Attempting to delete C:\windows\system32\jcrnbanl.dll
C:\windows\system32\jcrnbanl.dll Has been deleted!
Attempting to delete C:\windows\system32\lnabnrcj.ini
C:\windows\system32\lnabnrcj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\onnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\otgntixs.dll
C:\WINDOWS\system32\otgntixs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pxebgins.dll
C:\WINDOWS\system32\pxebgins.dll Could not be deleted.
Attempting to delete C:\windows\system32\safuxxqw.dll
C:\windows\system32\safuxxqw.dll Has been deleted!
Attempting to delete C:\windows\system32\snigbexp.ini
C:\windows\system32\snigbexp.ini Has been deleted!
Attempting to delete C:\windows\system32\ssqrpop.dll
C:\windows\system32\ssqrpop.dll Has been deleted!
Attempting to delete C:\windows\system32\stlkvcuo.dll
C:\windows\system32\stlkvcuo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\usskfifm.dll
C:\WINDOWS\system32\usskfifm.dll Has been deleted!
Attempting to delete C:\windows\system32\vtutrst.dll
C:\windows\system32\vtutrst.dll Has been deleted!
Attempting to delete C:\windows\system32\wqxxufas.ini
C:\windows\system32\wqxxufas.ini Has been deleted!
Attempting to delete C:\windows\system32\ycpdxowi.dll
C:\windows\system32\ycpdxowi.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.11
Scan started at 1:39:05 PM 20/06/2007
Listing files found while scanning....
C:\windows\system32\iifgfgh.dll
C:\windows\system32\pxebgins.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifgfgh.dll
C:\windows\system32\iifgfgh.dll Has been deleted!
Attempting to delete C:\windows\system32\pxebgins.dll
C:\windows\system32\pxebgins.dll Has been deleted!
Performing Repairs to the registry.
Done!
*********************************************************
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:48:54 PM, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\MR6708.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9AF86EE3-6594-48C5-B42B-F5D7334C8E6E} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://serversbs:8080/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://serversbs:8080/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150152171929
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\Software\..\Telephony: DomainName = Colpro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A827B1E-6D26-48E2-B88B-553736E39005}: NameServer = 192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Colpro.local
O20 - Winlogon Notify: winvfv32 - C:\WINDOWS\SYSTEM32\winvfv32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 10420 bytes
pskelley
2007-06-20, 12:58
Thanks for returning your information and the feedback.
How do i know if there is a file VundoFix doesn't find?
That is when they do not say "Has been deleted"
Because at least two of these trojans are backdoor trojans, you will want to watch your back. Read this information, change all passwords from another computer besides the infected one. Notify anyone with whom you do financial transactions online and watch all accounts which you should do anyway.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
Instructions start here:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
4) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winvfv32.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delet
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {9AF86EE3-6594-48C5-B42B-F5D7334C8E6E} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O20 - Winlogon Notify: winvfv32 - C:\WINDOWS\SYSTEM32\winvfv32.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(the first two you will have to search for, probably the System32 folder but I am not positive)
smanager.7.exe <<< delete that file
smgr.exe <<< delete that file
C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe <<< delete that file
C:\Documents and Settings\All Users\Application Data\szarkrmf.ex <<< delete that file
(if you have problems with any of the files, use the delete on reboot tool)
(this program was just updated and the instructions may vary a little. Read the instructions carefully, it is important we get a look at the scan results)
7) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan report from AVG Anti-Spyware and a new HJT log.
Thanks
pskelley,
1) followed step 1 to the letter. All files visible.
2) ATF cleaner downloaded to desktop
3) Windows Defender disabled as per instructions. Still disabled as of this post until told otherwise.
4) Deleted file as per the delete on reboot procedure. The end of this step seemed unfinished, so i followed the procedure for this step and then rebooted straight away.
5) used HJT, got the list up, selected items as required and followed procedure.
6) When looking for
smanager.7.exe <<< delete that file
smgr.exe <<< delete that file
I could ocate the files. Not in System 32, and the windows file search could not find them either. I do no further manual searching though.
The 2 files with the folder location were deleted.
7) Downloaded AVG Anti-Spyware.
followed steps. log file to foolw.
8) ATF cleaner done.
AVG anti-spyware and then HJT log file to follow.
Thanks again!!!
****************************************************************
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:17:14 PM 22/06/2007
+ Scan result:
C:\WINDOWS\Temp\NDrv.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\blqg.dll -> Adware.PurityScan : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\3PRLUDF7\anti4[1].exe -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\X24MM8HR\anti4[1].exe -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP505\A0034421.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036867.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036870.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036871.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036875.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP527\A0037576.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP527\A0037582.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP527\A0037585.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP527\A0037594.dll -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\gebyxxx.dll.bad -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\iifgfgh.dll.bad -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\ssqrpop.dll.bad -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\vtutrst.dll.bad -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP507\A0034525.exe -> Adware.WebHancer : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\X24MM8HR\setar-101[1].0000 -> Adware.Yazzle : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP516\A0035714.exe -> Downloader.Agent.bls : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036873.exe -> Downloader.Alphabet.c : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036795.exe -> Downloader.PurityScan.eg : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP517\A0035723.exe -> Downloader.PurityScan.ej : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\O0SS6MR4\FOYGq2JV9B[1].exe -> Not-A-Virus.Monitor.Win32.Perflogger.be : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP528\A0037738.exe -> Not-A-Virus.Monitor.Win32.Perflogger.be : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator.COLPRO\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@komtrack[2].txt -> TrackingCookie.Komtrack : Cleaned.
C:\Documents and Settings\Administrator.COLPRO\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\guy\Cookies\guy@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator.COLPRO\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator.COLPRO\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Scott.COLPRO\Cookies\scott@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator.COLPRO\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP521\A0036963.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP519\A0036869.dll -> Trojan.Agent.qt : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temp\win160.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\3PRLUDF7\xc60[1].exe -> Trojan.Dialer.qn : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\O0SS6MR4\antzom[1].exe -> Trojan.Dialer.qn : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\O0SS6MR4\xc60[1].exe -> Trojan.Dialer.qn : Cleaned.
C:\Documents and Settings\guy\Local Settings\Temporary Internet Files\Content.IE5\YO3P25KR\antzom[1].exe -> Trojan.Dialer.qn : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP490\A0032659.exe -> Trojan.Dialer.qn : Cleaned.
C:\System Volume Information\_restore{02285954-F5DD-4398-80A2-9608C358FCD3}\RP528\A0037710.dll -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win13.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win30.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win3777.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win3797.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win392.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win3B4.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win3C1.tmp -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win3CF.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win42A.tmp.exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win4A35.tmp.exe -> Trojan.Dialer.qn : Cleaned.
::Report end
*****************************************************************
HJT log file
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:33:35 PM, on 22/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\WW1659.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9AF86EE3-6594-48C5-B42B-F5D7334C8E6E} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://serversbs:8080/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://serversbs:8080/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://serversbs:8080/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150152171929
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\Software\..\Telephony: DomainName = Colpro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A827B1E-6D26-48E2-B88B-553736E39005}: NameServer = 192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Colpro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Colpro.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks (2)\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 10096 bytes
From step 6 - I could not find the 2 files to delete even after using windows file search.
I did not do any further manual searching.
pskelley
2007-06-22, 14:17
Thanks for returning your information and the feedback, please activate your Windows Defender protection.
Good job with those complex instructions:bigthumb: There is one dead line left from Vundo, please use HJT to remove it:
O2 - BHO: (no name) - {9AF86EE3-6594-48C5-B42B-F5D7334C8E6E} - C:\WINDOWS\system32\pmnno.dll (file missing)
Both Windows Defender and AVG Guard feature may block the removal and need to be turned off until complete?
How is the computer running now? Let do this:
C:\VundoFix Backups\ <<< remove this folder and any other Vundofix folders you are done with that tool.
A lot of junk in Temp and TIF folders, run Clean Manager to be sure you got it all: http://spyware-free.us/tutorials/cleanmgr/
ATF-Cleaner is a nice free tool, you may keep it if you wish. Share it with your friends.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley,
THANK YOU!!!
Thanks very much for all of your help in removing the malware on my PC. I believe i know how i was infected to begin with, and I won't be doing that again.
With regards to how is my PC running? There are no pop-ups, but then I haven't been using IE since the pop-ups began, and since you said to go offline, my PC hasn;t had access to the web, except for 5 mins on Friday to get updates for AVG Anti-spyware.
I won't truly know if all has been fixed until I have the PC re-connectd with the web. Its sunday night here in Aussie land, so tomorrow sometime it should be back online, unless you say otherwise.
Can i go back online to the internet now?
Also, i will try to use IE for a little just to test the waters.
Thanks again!!
Yuggy8
pskelley
2007-06-24, 13:15
You are good to go, be careful it is a cyber-jungle out there. Make sure you read the information I posted for staying safe and here are more Microsoft resources to help.
. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx
. Worldwide computer security information
http://www.microsoft.com/athome/security/worldwide/default.mspx
Safe surfing:bigthumb:
pskelley,
I have had the PC online all morning now, and have even used IE for some surfing (although i will continue to use Opera) and I have had not one pop-up window. The PC is faster. one area i had noticed considerably slower before was when opening a new folder on a network drive. The time is ¼ of what is was when infected.
Thanks again.
Yuggy8
pskelley
2007-06-25, 03:27
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks...pskelley