View Full Version : Security Alert for spyware & system performance warnings
plshelpme
2007-11-06, 23:35
I get a lot of pop ups that suggest DLing BestSellerAntiVirus, StorageProtector, OnlineHelpmate.
I haven't updated windows since instalation, automatic updates are off. I had NOD32 anti virus system before I got spammed by those messages. Today I tried with Spyware Terminator and AVG Anti-Spyware.
Spyware Terminator found the threat but couldn't remove it. It was attempting to remove explorer.exe, so i put AVG Anti-Spyware after but the pop ups continue. Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 23:32:47, on 06.11.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hardwarebg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hardwarebg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.187.166.61:3128
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qrocngfy.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [584165f0] rundll32.exe "C:\WINDOWS\system32\lxumugmg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hardwarebg.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C6CA22F-5D29-412D-B7CF-29374971977A}: NameServer = 82.199.192.4,82.199.192.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Please assist me.
plshelpme
2007-11-07, 00:40
I'm sorry if I posted in the wrong forum section :sad:
pskelley
2007-11-12, 13:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37
I apologize that no one has responded to your request for help. It appears you missed the above information which is also pinned to the top of this forum.
I can see by this log you are infected, if you have not resolved your issues, please read the directions and post the correct HJT log, version 2.0.2 as shown in the instructions. You can wait on the Kaspersky scan until I request it.
Thanks
plshelpme
2007-11-12, 17:10
I installed Spybot - Search & Destroy, and scanned the computer in safe mode 3 times. There are threats it couldn't remove. Here is log file from the scan:
Virtumonde.generic: [SBI $88EE1D0F] Settings (Registry value, fixed)
HKEY_CLASSES_ROOTCLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32\=...C:\WINDOWS\SYSTEM32\QROCNGFY.DLL...
Virtumonde.generic: [SBI $FFB000DB] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QROCNGFY
Virtumonde.generic: [SBI $6026F3EE] Settings (Registry value, fixed)
HKEY_CLASSES_ROOTCLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32\=...C:\WINDOWS\SYSTEM32\QROCNGFY.DLL...
Virtumonde.generic: [SBI $8DF9F290] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
Virtumonde.generic: [SBI $2C44C86A] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
Virtumonde.generic: [SBI $B8DFB189] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-11-12 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
The report says the problems have been fixed but on next scan they are active again, so it appears to be false.
After the 3 scans I rebooted normally and Spybot - Search & Destroy did scan again with the same result.
Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:05, on 12.11.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hardwarebg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hardwarebg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.187.166.61:3128
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qejlkdrb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
I have been adviced not to do a Kaspersky scan for now so I post only this.
pskelley
2007-11-12, 17:11
No one redirected you to anywhere, all I did was post a link to show you what to do if you wait four days without a reponse. I replied to your topic, please continue in this post:
http://forums.spybot.info/showthread.php?t=19858
Until your issues are resolved. Right now I need a complete HJT log posted here and nothing else. You posted a partial log in the "Waiting Room".
When your log is in notepad click on Edit then Select All. Copy and Paste the highlited information.
Thanks
plshelpme
2007-11-12, 18:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:51, on 12.11.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hardwarebg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hardwarebg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.187.166.61:3128
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qejlkdrb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [584165f0] rundll32.exe "C:\WINDOWS\system32\jihimhgf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hardwarebg.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C6CA22F-5D29-412D-B7CF-29374971977A}: NameServer = 82.199.192.4,82.199.192.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5067 bytes
pskelley
2007-11-12, 18:18
Thanks for returning your information, please take the time to read and follow the directions carefully.
1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
2) Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
The Vundofix link was not working, here is another link if you can't get it from the first one:
http://www.softpedia.com/progDownload/VundoFix-Download-33165.html
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(wait until you finish to post reports and logs)
3) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix report, combofix log and a new HJT log.
Thanks
Click this link >>> http://whois.domaintools.com/85.187.166.61
Is there any reason you have this Proxy from Bulgaria?
Bulgaria Sofia Net-x Ng Assigned Addr. Space
Let me know
plshelpme
2007-11-12, 19:06
Here are the reports as you requested:
VundoFix V6.5.10
Checking Java version...
Java version is 1.5.0.10
Scan started at 18:37:47 12.11.2007 г.
Listing files found while scanning....
C:\WINDOWS\system32\qejlkdrb.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qejlkdrb.dll
C:\WINDOWS\system32\qejlkdrb.dll Has been deleted!
Performing Repairs to the registry.
Done!
ComboFix 07-11-08.1 - PC-Admin 2007-11-12 18:52:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.679 [GMT 2:00]
Running from: C:\Documents and Settings\PC-Admin\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\adwzmdfn.dllbox
C:\WINDOWS\system32\chcxmbfi.dll
C:\WINDOWS\system32\cqajthlm.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\gmdurqgk.dll
C:\WINDOWS\system32\gmgumuxl.ini
C:\WINDOWS\system32\gmgumuxl.ini2
C:\WINDOWS\system32\jutvgflv.dll
C:\WINDOWS\system32\kcrduwjy.dll
C:\WINDOWS\system32\paacmwim.dll
C:\WINDOWS\system32\qejlkdrb.dllbox
C:\WINDOWS\system32\uarxmgdo.dll
C:\WINDOWS\system32\ulvuvjjc.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.
2007-11-12 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 18:42 145,472 --a------ C:\WINDOWS\system32\adwzmdfn.dll
2007-11-12 18:41 145,472 --a------ C:\WINDOWS\system32\bphybieb.dll
2007-11-12 18:37 <DIR> d-------- C:\VundoFix Backups
2007-11-12 17:25 84,032 --a------ C:\WINDOWS\system32\jihimhgf.dll
2007-11-12 16:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 16:48 84,032 --a------ C:\WINDOWS\system32\ipleuhhs.dll
2007-11-12 16:45 145,472 --a------ C:\WINDOWS\system32\djojvuge.dll
2007-11-12 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 16:06 84,032 --a------ C:\WINDOWS\system32\vpbigvxx.dll
2007-11-09 16:05 84,032 --a------ C:\WINDOWS\system32\qxsyxtxy.dll
2007-11-06 22:32 <DIR> d-------- C:\Documents and Settings\PC-Admin\Application Data\Grisoft
2007-11-06 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 22:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-06 20:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 16:48 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-11-06 16:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 16:25 84,032 --a------ C:\WINDOWS\system32\lxumugmg.dll
2007-11-06 14:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-06 14:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-06 13:10 145,472 --a------ C:\WINDOWS\system32\jbdetfqs.dll
2007-11-05 17:59 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-05 17:47 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-05 14:08 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-29 20:03 <DIR> d-------- C:\Program Files\EA GAMES
2007-10-28 14:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-20 13:48 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 13:32 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-10-20 13:32 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-10-20 13:32 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-10-15 12:33 <DIR> d-------- C:\Program Files\Skype
2007-10-15 12:33 <DIR> d-------- C:\Documents and Settings\PC-Admin\Application Data\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 16:52 --------- d-----w C:\Program Files\FlashGet
2007-11-09 15:38 --------- d-----w C:\Program Files\BitComet
2007-11-07 16:34 --------- d-----w C:\Program Files\mIRC
2007-10-23 17:00 --------- d-----w C:\Documents and Settings\PC-Admin\Application Data\Ventrilo
2007-10-15 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-30 07:33 --------- d-----w C:\Documents and Settings\PC-Admin\Application Data\Azureus
2007-09-26 18:42 --------- d-----w C:\Program Files\Azureus
2007-09-24 15:26 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 15:26 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-15 19:17 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-09-15 05:47 --------- d-----w C:\Program Files\Borland Pasca v7 FULL Complect
2007-09-14 09:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-14 09:00 --------- d-----w C:\Program Files\Realtek AC97
2007-09-13 19:35 --------- d-----w C:\Program Files\Futuremark
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34e683f5-1f4a-4a17-aeeb-164bee40c65c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
C:\WINDOWS\system32\ljjjhif.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-12 18:42 145472 --a------ C:\WINDOWS\system32\adwzmdfn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B32497D4-4FB4-437C-BE3C-18F9C1BCE4D8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\adwzmdfn.dll [2007-11-12 18:42 145472]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 20:43]
"nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 20:43]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-08-20 12:48]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 01:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-24 17:26]
"584165f0"="C:\WINDOWS\system32\jihimhgf.dll" [2007-11-12 17:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-09-22 02:48:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\ljjjhif.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\adwzmdfn]
adwzmdfn.dll 2007-11-12 18:42 145472 C:\WINDOWS\system32\adwzmdfn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhif]
ljjjhif.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeda.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 usb2vcom;USB Data Cable;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 07:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-08 08:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-11-12 09:00:00 C:\WINDOWS\Tasks\At12.job"
"2007-11-12 10:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-12 11:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 12:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-12 13:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 14:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-12 15:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-12 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 23:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 20:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-11 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-12 00:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 01:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 02:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 04:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 05:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
"2007-11-10 06:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\7IFj4wYj.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 18:56:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-12 18:58:11 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:08, on 12.11.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hardwarebg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hardwarebg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.187.166.61:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {34e683f5-1f4a-4a17-aeeb-164bee40c65c} - (no file)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\ljjjhif.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\adwzmdfn.dll
O2 - BHO: (no name) - {B32497D4-4FB4-437C-BE3C-18F9C1BCE4D8} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\adwzmdfn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [584165f0] rundll32.exe "C:\WINDOWS\system32\jihimhgf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hardwarebg.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C6CA22F-5D29-412D-B7CF-29374971977A}: NameServer = 82.199.192.4,82.199.192.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: adwzmdfn - C:\WINDOWS\SYSTEM32\adwzmdfn.dll
O20 - Winlogon Notify: ljjjhif - ljjjhif.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5619 bytes
I am not using any proxy as far as I know.
pskelley
2007-11-12, 20:40
Thanks for returning your information, we still have a lot of work to do. Let's start like this.
Where are you located? The Proxy is the same company as this:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C6CA22F-5D29-412D-B7CF-29374971977A}: NameServer = 82.199.192.4,82.199.192.2
Is this your Internet Service provider: http://whois.domaintools.com/82.199.192.4
Bulgaria Sofia Provider Local Registry <<< I don't want to remove valid setting, if that is not valid for you then it means you are being hacked.
(take your time, read and follow the directions carefully)
1) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.
I am hoping this will work for us, you can only add six at a time I believe, so you will have to do it twice to add them all.
Here are the files to add:
C:\WINDOWS\system32\adwzmdfn.dll
C:\WINDOWS\system32\jihimhgf.dll
C:\WINDOWS\system32\bphybieb.dll
C:\WINDOWS\system32\ipleuhhs.dll
C:\WINDOWS\system32\djojvuge.dll
C:\WINDOWS\system32\vpbigvxx.dll
C:\WINDOWS\system32\qxsyxtxy.dll
C:\WINDOWS\system32\lxumugmg.dll
C:\WINDOWS\system32\jbdetfqs.dll
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {34e683f5-1f4a-4a17-aeeb-164bee40c65c} - (no file)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\ljjjhif.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\adwzmdfn.dll
O2 - BHO: (no name) - {B32497D4-4FB4-437C-BE3C-18F9C1BCE4D8} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\adwzmdfn.dll
O4 - HKLM\..\Run: [584165f0] rundll32.exe "C:\WINDOWS\system32\jihimhgf.dll",b
O20 - Winlogon Notify: adwzmdfn - C:\WINDOWS\SYSTEM32\adwzmdfn.dll
O20 - Winlogon Notify: ljjjhif - ljjjhif.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\7IFj4wYj.exe <<< delete that file
6) Start > Control Panel > Doubleclick on "Scheduled Tasks" folder. Open that folder and you will see a list of scheduled tasks that look like this: C:\WINDOWS\Tasks\At10.job" or similiar. Do this with them:
To delete a task, right-click the task in the Scheduled Tasks window, and then click Delete.You may also be able to click Edit at the top and then Delete all.
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart your computer and post a new HJT log. Let me know how it went, any instructions you could not complete. Any comments you think will help.
Thanks...Phil
plshelpme
2007-11-12, 21:51
Thanks for all the help, here is how I managed to complete the tasks:
Sellinet is my provider. I'm located in Sofia / Bulgaria. +359 868 8300 is the phone number if their main office. 82.199.192.4 is one of the DNS servers.
VundoFix V6.5.10
Checking Java version...
Java version is 1.5.0.10
Scan started at 18:37:47 12.11.2007 г.
Listing files found while scanning....
C:\WINDOWS\system32\qejlkdrb.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qejlkdrb.dll
C:\WINDOWS\system32\qejlkdrb.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\adwzmdfn.dll
C:\WINDOWS\system32\adwzmdfn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\bphybieb.dll
C:\WINDOWS\system32\bphybieb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\djojvuge.dll
C:\WINDOWS\system32\djojvuge.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ipleuhhs.dll
C:\WINDOWS\system32\ipleuhhs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jbdetfqs.dll
C:\WINDOWS\system32\jbdetfqs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jihimhgf.dll
C:\WINDOWS\system32\jihimhgf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lxumugmg.dll
C:\WINDOWS\system32\lxumugmg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qxsyxtxy.dll
C:\WINDOWS\system32\qxsyxtxy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vpbigvxx.dll
C:\WINDOWS\system32\vpbigvxx.dll Has been deleted!
Performing Repairs to the registry.
Done!
The folder settings you posted matched completely the current ones, I didn't have anything to change.
I couldn't find in the HijackThis scan:
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\adwzmdfn.dll
O20 - Winlogon Notify: adwzmdfn - C:\WINDOWS\SYSTEM32\adwzmdfn.dll
I couldn't find C:\WINDOWS\system32\7IFj4wYj.exe
The latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48:05, on 12.11.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hardwarebg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.187.166.61:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hardwarebg.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C6CA22F-5D29-412D-B7CF-29374971977A}: NameServer = 82.199.192.4,82.199.192.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4878 bytes
pskelley
2007-11-12, 22:12
Thanks and good job, did you have something open here: C:\WINDOWS\system32\ping.exe <<< My scanner shows it as possible malware, let me know.
Here is what I see in the HJT log:
see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_10\ <<< Your Java program is out of date, download the newest version and uninstall all od version in Add Remove Programs.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
remove that line with HJT if you wish, it is not malware.
How is the computer running? Let's have a look at a Kaspersky scan now:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks...Phil
plshelpme
2007-11-12, 23:44
Hi,
I updated the Java and removed the :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
The starting page for iexplorer used to be hardware.bg now its msn.com . May I change it back to hardware.bg? the C:\WINDOWS\system32\ping.exe is a cmd ping comand i started to check my internet connection for packets lost since i was getting time outs to the forum.
I ran the Kaspersky Online Scanner and here is the result:
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 11:36:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/11/2007
Kaspersky Anti-Virus database records: 428876
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics
Total number of scanned objects 52869
Number of viruses found 1
Number of infected objects 9
Number of suspicious objects 0
Duration of the scan process 00:35:40
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\cert8.db Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\flashgot.log Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\history.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\key3.db Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\parent.lock Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\search.sqlite Object is locked skipped
C:\Documents and Settings\PC-Admin\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\PC-Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\35yzqdvc.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PC-Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\PC-Admin\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7F741011-C5D6-4123-8422-37B744DBC7FF}\RP3\A0000067.dll Infected: Trojan.Win32.BHO.su skipped
C:\System Volume Information\_restore{7F741011-C5D6-4123-8422-37B744DBC7FF}\RP3\A0000068.dll Infected: Trojan.Win32.BHO.su skipped
C:\System Volume Information\_restore{7F741011-C5D6-4123-8422-37B744DBC7FF}\RP3\A0000069.dll Infected: Trojan.Win32.BHO.su skipped
C:\System Volume Information\_restore{7F741011-C5D6-4123-8422-37B744DBC7FF}\RP3\A0000071.dll Infected: Trojan.Win32.BHO.su skipped
C:\System Volume Information\_restore{7F741011-C5D6-4123-8422-37B744DBC7FF}\RP5\change.log Object is locked skipped
C:\VundoFix Backups\adwzmdfn.dll.bad Infected: Trojan.Win32.BHO.su skipped
C:\VundoFix Backups\bphybieb.dll.bad Infected: Trojan.Win32.BHO.su skipped
C:\VundoFix Backups\djojvuge.dll.bad Infected: Trojan.Win32.BHO.su skipped
C:\VundoFix Backups\jbdetfqs.dll.bad Infected: Trojan.Win32.BHO.su skipped
C:\VundoFix Backups\qejlkdrb.dll.bad Infected: Trojan.Win32.BHO.su skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
pskelley
2007-11-12, 23:58
i started to check my internet connection for packets lost since i was getting time outs to the forum.I was having the same problems in Clearwater, Florida. It was a problem with the forum, not you, happens every once in a while.
The starting page for iexplorer used to be hardware.bg now its msn.com . May I change it back to hardware.bg?
You may set any startpage you wish:
http://www.microsoft.com/windows/ie/community/columns/ie7_basics.mspx
Unfortunately I do not know if that information works for IE6 but I do suggest you consider updating to IE7 for the additional security it affords:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 11:36:00 PM
Number of infected objects 9
C:\System Volume Information\ <<< four are infected System Restore files,clean those like this:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
C:\VundoFix Backups\ <<< five are in this backups folder from Vundofix, delete the complete folder.
Delete all tools we downloaded for the cleanup with the exception of ATF-Cleaner. You may keep that nice small tool if you wish. I can't see where you told me how the computer is running, but I'll post this information for you now.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
plshelpme
2007-11-13, 00:21
I will continue our team work tomorrow because it's been a long day and late now, it's almost 1 a.m here. I just wanted to say I am very grateful to everyone who has been helping with the healing process of my home PC specially to you Phil.
Sincerely yours Spas.
plshelpme
2007-11-13, 14:23
Hi,
I installed IE7, deleted the tools for the clean-up, C:\VundoFix Backups\ - removed, removed all restore points and added new one as advised here: http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
I tryed to install SpywareBlaster but in was making an error on start up. Currently I have the nod32 2.7 that starts with windows and AVG Anti-Spyware which has real-time protection turned off at the moment. What should I do with AVG Anti-Spyware?
Also one last thing left - the Windows security alert in the task bar. It suggests to turn on automatic updates on but the last time I did that windows attempted to download updates requiring genuin windows where mine fails. I did download windows update from the suggest list after a scan from microsoft was made and also downloaded framework 2.0 updates and microsoft office updates.
plshelpme
2007-11-13, 14:25
The computer is running normally. I can't say its slower than before the pop-ups started but it isn't as fast as when it was new which I guess its normal.
pskelley
2007-11-13, 16:07
Good morning Spas, from sunny Florida. I will do my best to answer your questions.
SpywareBlaster <<< great free program I have run for many years, but every computer will not run it. I suggest after you give the computer a good cleaning, try it again. If it fails, forget it. What is nice about SB is that it protects you and asks for no resources to do it, plus the price is right...free!
http://www.bleepingcomputer.com/forums/tutorial49.html
Keep in mind, as you will read in the links I provided, you need one antivirus, one firewall and at least one spyware program that runs in real time. If you have questions about this, let me know.
Windows Updates: it is very important that you can download updates from Microsoft. If you have a VALID copy of Windows, you will be able to do so. It is best to allow Windows to do this for you, but you can turn of auto-updates and download them manually, as long as you are sure to do it. If you can not turn on auto-updates because of an issue with Windows, then you can look here:
http://v4.windowsupdate.microsoft.com/troubleshoot/
Microsoft has had trouble with updates saying the copy of Windows is not genuine, and this is their problem and they must help you fix it.
There is much information about that, here is the Google:
http://www.google.com/search?hl=en&q=genuine+windows&btnG=Search
If you can not resolve this issue, then insist Microsoft do it for you, you must be able to get critical updates:
http://support.microsoft.com/
What should I do with AVG Anti-Spyware?This is a good p[rogram, I use it a lot during cleanups for folks but I use the free trial because I believe I should clean the computer without them purchasing anything. Once the trial is over, it is a very good scanner which can be updated for as long as you like, but to run it beyond the trial is a waste of your resources. I turn it off completely, even turn off the service and take the time to turn it back on and update it before I use it for two or three scans a year as a double check on my resident programs.
I want to say I posted a link: http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
look there for help at enhancing the computers performance.
I hope I have answered your questions...Phil:bigthumb:
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link. :)
Applies only to the original poster, anyone else with similar problems please start your own topic.