View Full Version : Need help with vundo kill shot!
I was recently infected with vundo. I have followed the directions mentioned in the "Before the Post", the kaspersky scan, S&D, and HJT. The Kaspersky and HJT logs are below.
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 15, 2007 12:38:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 459914
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 42765
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:00:46
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-091652.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00800000.VBN Infected: Trojan-Downloader.Win32.Agent.dxj skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DB905A98-4D1D-4345-A9F7-AD820A22675F} Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\MSHist012007111520071116\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\3M50YL32\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\EBFEO2OM\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP2\A0000063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP3\A0000079.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP3\change.log Object is locked skipped
C:\VundoFix Backups\oxpwmkwb.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\zzyyyykt.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{53C9122A-1999-4A5A-A008-2B2508F37345}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\aavdwltr.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbvxsxnu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mllml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apq skipped
C:\WINDOWS\system32\smpqiomq.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
HJT log to follow.
Not sure if it is relevent but when completing the S&D scans as noted it took 2 manual scans in safe mode and 2 auto scans at restart for S&D to fully remove items including Directtrack, Hitbox, Virumonde.generic, and Virtumonde.
Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:19 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6442 bytes
Any help would be greatly appreciated! :bigthumb:
pskelley
2007-11-18, 18:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for posting the correct information, this looks like a Vundo infection at least and it gets harder and harder to remove so don't expect easy. If you wish to proceed, the junk will download more so stay offline until you are clean except when troubleshooting. Read and follow the directions in the posted order.
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ << BADLY out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove programs.
1) System Configuration Utility (MSConfig) is in Selective Startup mode, return it to Normal Mode until we are finish.
2) Spyware programs will compromise the tools we need to run, turn these three off until we are finished.
A: TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
B: AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
C: We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
3) Kaspersky scan indicates the possible presence of Smitfraudfix and Vundofix. Remove both programs from your computer. We will use Vundofix, but I need the newest version from the link I provide.
4) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.
5) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix report, combofix log and a new HJT log
Thanks
Well Phil, I have completed all of the steps UP TO the running of combofix. I ran Vundofix, removed what was listed, VF said it needed to finish on reboot. On reboot I again removed the one left over file, VF again said it would need to restart. On that restart VF opened but the file was not listed. I pressed remove and got a prompt that there were no files to delete and VF would close and return to windows. I downloaded Combofix (from both links supplied) and both opened, prepared to run, and a seperate window opened with the header "Abort-07-11-08.1" and message "Current date is 2007-11-19. Copy of Combofix is expired. Please download an updated copy" after pressing ok or X another window opens saying that "Combofix has been uninstalled." Also I ran VF again and it once again found that pesky file (c/windows/system32/iifggge.dll) and went throught the same process as i listed above. Please advise on what i should do next. Thanks.
pskelley
2007-11-19, 21:18
Thanks for the feedback, I apologize for the issues with combofix. The whole world is waiting for that tool to be running again, I will know when the creator has it working, in the meantime we will do our best without it.
The problem is so many of the Vundo files are hidden and combofix digs them out for us. You may remove combofix from your computer. Post the report from Vundofix, a new HJT log and any feedback you think will help.
Thanks...Phil
I was not aware that Vundofix kept a log. I was never asked to save any files. Do you know where it would be kept? Anyway, here is the latest HJT log. Hope it helps.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6502 bytes
Also, Symantec is installed here and nothing was mentioned about unloading its service or changing any settings in your posts. After running the VF a notice appeared about a quarantine of virus name"Downloader.MisleadAPP" located in a temp folder. There also is a message along the lines of a file not being located upon start up. I believe this to be one of the several files removed by VF but i did not write the name down. I can do this if necessary. Thanks for the help.:bigthumb:
pskelley
2007-11-20, 00:33
Look on the C:\ for Vundofix.txt.
Also, Symantec is installed here and nothing was mentioned about unloading its service or changing any settings in your posts. I am not sure what you are saying or asking here? I would assume if Symantec could have done anything about this infection, you would have used it to clean the infection and had no need to post here? I do not use Symantec and never have, I can supply a link to Symantec technical support if you need it?
Thanks
You mentioned that I should halt some of the operations of AVG, S&D, and Window Defender but mentioned nothing of halting any part of Symantec. I just wanted to be sure that Symantec was not overlooked. I will check for the VF log as well. :)
pskelley
2007-11-20, 01:44
I see, to my knowledge the resident antivirus programs do not cause problems with the tools we use.
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
Here is the VF log and thanks for the above link, I see that Symantec is not on that list.
Here is the VF log and thanks for the above link, I see that Symantec is not on that list.
VundoFix V6.6.1
Checking Java version...
Scan started at 1:09:57 PM 11/14/2007
Listing files found while scanning....
C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll
Beginning removal...
Beginning removal...
VundoFix V6.6.1
Checking Java version...
Scan started at 1:43:52 PM 11/14/2007
Listing files found while scanning....
C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll
Beginning removal...
Attempting to delete C:\windows\system32\oxpwmkwb.dll
C:\windows\system32\oxpwmkwb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\zzyyyykt.dll
C:\WINDOWS\system32\zzyyyykt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 9:24:45 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\aavdwltr.dll
C:\windows\system32\iifggge.dll
C:\windows\system32\ssqrrro.dll
C:\windows\system32\zzyyyykt.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\aavdwltr.dll
C:\windows\system32\aavdwltr.dll Has been deleted!
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Attempting to delete C:\windows\system32\ssqrrro.dll
C:\windows\system32\ssqrrro.dll Has been deleted!
Attempting to delete C:\windows\system32\zzyyyykt.dllbox
C:\windows\system32\zzyyyykt.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 9:42:19 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 10:20:35 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 10:56:55 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 12:46:43 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 13:20:56 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 14:02:52 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 14:41:00 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
pskelley
2007-11-20, 17:01
Thanks for returning the information and the feedback, this one is giving us trouble:
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deletedSo we have that issue to contend with. I also want you to know the forum software is not working right today, if you have problems posting, etc, that is why. You can wait a few hours, I have notified management.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Make sure you are using the new version 6.6.2
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
These are the files you need to add:
C:\windows\system32\iifggge.dll
C:\WINDOWS\system32\cbvxsxnu.dll
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\cbvxsxnu.dll <<< delete that file
C:\windows\system32\iifggge.dll <<< delete that file
We are trying to kill the really bad files in several ways. If you have problems use this tool and instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the Vundofix.txt, new HJT log and some feedback.
Thanks
I have completed the above steps but am still having a problem with the iifggge.dll file. Vundo says it needs to delete on restart, restarts the computer, says this same thing again, restarts, and opens to show no files to remove. I typed the iifggge.dll file in and went through the same process. The removal process seems to go in circles with this darn thing. Anyway, the VF log and new HJT logs are below.
VundoFix V6.6.1
Checking Java version...
Scan started at 1:09:57 PM 11/14/2007
Listing files found while scanning....
C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll
Beginning removal...
Beginning removal...
VundoFix V6.6.1
Checking Java version...
Scan started at 1:43:52 PM 11/14/2007
Listing files found while scanning....
C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll
Beginning removal...
Attempting to delete C:\windows\system32\oxpwmkwb.dll
C:\windows\system32\oxpwmkwb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\zzyyyykt.dll
C:\WINDOWS\system32\zzyyyykt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 9:24:45 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\aavdwltr.dll
C:\windows\system32\iifggge.dll
C:\windows\system32\ssqrrro.dll
C:\windows\system32\zzyyyykt.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\aavdwltr.dll
C:\windows\system32\aavdwltr.dll Has been deleted!
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Attempting to delete C:\windows\system32\ssqrrro.dll
C:\windows\system32\ssqrrro.dll Has been deleted!
Attempting to delete C:\windows\system32\zzyyyykt.dllbox
C:\windows\system32\zzyyyykt.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 9:42:19 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 10:20:35 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 10:56:55 AM 11/19/2007
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 12:46:43 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 13:20:56 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Scan started at 14:02:52 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 14:41:00 2007-11-19
Listing files found while scanning....
C:\windows\system32\iifggge.dll
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\IIFGGGE.DLL
C:\WINDOWS\SYSTEM32\IIFGGGE.DLL Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\IIFGGGE.DLL
C:\WINDOWS\SYSTEM32\IIFGGGE.DLL Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6351 bytes
I noticed that there are several dates in the VF log. Does VF just keep adding to the text file each time it scans? If so, i noticed that there is no scan information with todays (11-20-07) date on it and a search of the computer does not yield any more VF log files anywhere. Also, when attempting step 5 above the cbvxsxnu.dll file was not there and a search for it came up empty. When i tried to delete the iifggge.dll file i got a message similar to "Cannot delete iifggge: Access denied. Make sure the disk is not full or write protected or file is not in use." This may be dumb but would renaming it be of use?:scratch:
pskelley
2007-11-20, 21:51
Yep, this infection has gotten very, very hard to remove. We may never get it all, but let's don't give up yet. The first thing I see is an old version of Vundofix here:
Today, 13:27 >> VundoFix V6.6.1
Would you please make sure the ONLY version you have on your computer is V6.6.2.
I noticed that there are several dates in the VF log.
Right, that is what I said above, be positive you only have the one version on the computer. If you followed directions it would be here: "Download VundoFix" to your Desktop
This may be dumb but would renaming it be of use?You may use any method you know of to remove the junk, everyone is learning this infection as it is being removed and there are countless folks infected. You can also try this:
http://support.microsoft.com/kb/308421
Just let me know what method works for the next infected member.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:18, on 2007-11-20
I see no malware in this HJT log. It may be one of the methods we used killed it. Let's have Kaspersky take a look to see what is there HJT can't see.
First, looking at this scan: KASPERSKY ONLINE SCANNER REPORT Thursday, November 15, 2007 12:38:33 PM
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of your AV's quarantine folder.
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix\SmitfraudFix\ <<< delete Smitfraudfix completely from your computer
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\ <<< delete the contents of that TIF folder
C:\VundoFix Backups\ <<< delete that folder, make sure there is no folder from the new version. Keep just the executable on the Desktop in case we need to run it again.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
(please use these setting for the scan)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Add any comments you think will help.
Thanks...Phil
Just a quick update/FYI - In an attempt to remove that pesky iifggge.dll file I renamed it to iie.dll and tried to delete it. This did not work so I followed the link you supplied and made sure that I had control/rights to it. Again, this did not work so I did a restart in safemode and, luckily, this DID work. I was able to find and delete this file. On restart i tried to locate it and did a search for the file and it was not found. Curiosity got the best of me and i ran VF which came up with nothing.:bigthumb: I will move on to the next step, Kaspersky, and report what i find as soon as i can. Thanks for the help so far.
After completing the rest of the instructions you provided I ran the Kaspersky online scan and got bad news :sad:. The scan returned two issues both having to do with "Trojan.Win32.Obfuscated". The log is posted below.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-21 10:24
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 433848
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 42472
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:56:52
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-091652.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46733.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46734.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46735.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46736.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46737.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46738.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46739.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46740.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46741.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46743.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46744.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46745.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46746.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46747.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46748.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46749.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\toolbox_healer46742.log Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP16\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{98E82034-64EB-4759-9E1F-3E417E7A03FE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkjklbst.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I don't think i mentioned that there were two icons added to the desktop, "Online Security Guide" and another "Live Safety Center". I deleted these icons before the Kaspersky scan. When I hooked the computer back online and started IE another window opened to some search page (or something along these lines) which I promptly closed. Also, Symantec raised a notification window that Trojan.Vundo was around. Please let me know our next step. Thanks.
pskelley
2007-11-21, 18:20
Thanks for returning your scan results.
KASPERSKY ONLINE SCANNER REPORT 2007-11-21 10:24
Delete the files in red, empty the Reccycle Bin and scan again, it should be clean.
C:\WINDOWS\system32\jkjklbst.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
You need to understand also, how easy it is to get infected or even reinfected, see this:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
Thousands snared by malware warning from big-name websites
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/
tashi has pinned very important information at the top of this forum, you should review it all.
I'll post this information for you now so you can benefit from it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
I ran HJT and found a file almost identical to the one removed during post #12 "O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe C:\WINDOWS\system32\cbvxsxnu.dll",b" (i am unsure of how to quote a previous post). I had HJT fix that issue and ran VF which found nothing. I am running AVG to see what it says now. At this point it has found "Trojan.Agent.aoy" and "Downloader.Tiny.id" but is still scanning.
The above post was done before seeing the other. I will do the steps now. Thanks.
pskelley
2007-11-21, 18:31
Remember that Kaspersky and AVG will not call the files the same thing so it is likely the same item.
Remember to express yourself here:
http://www.malwarecomplaints.info/
These criminals need to go to jail, did I post this information for you?
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
This is almost all we are getting and the fourms of loaded with it. I have dealt with so much of it I am about burned out:sad:
I have completed all of the above steps. "esaxxsvc.exe" went without a fight but I had to go into safemode to delete the "jkjklbst.exe" file. The AVG scan (ran BEFORE the step in previous sentence) did not find anymore than the two issues listed in the previous post. I had it delete those. What is our next step from here? I am concerned that, while everything appears fine now, when I reconnect to the net I will be back where i started. Should I produce another HJT scan, scan with any of the available tools I have (Defender, S&D, etc.) or what? Greatly appreciate the help so far Phil! :bigthumb:
pskelley
2007-11-21, 19:42
We cleaned the last two items from the Kaspersky scan, you should be good to go:bigthumb:
Safe Surfing...Phil
I just completed a scan with S&D and it returned 6 incidents of Virtumonde!:eek: I have done nothing since the last steps and have not connected back to the internet yet. Any advice?
Also, shall i have S&D remove these?
pskelley
2007-11-21, 21:15
Yeah, make sure your Spybot program is totally up to date and fully immuninized, then run it again.
Post a new HJT log.
Thanks
Is there a link you can supply that i can follow to download the latest updates for S&D from another computer and transfer to the infected one as to avoid connecting it to the internet? I somewhat recall reading a post that had a similar link. In the mean time i will have S&D remove the 6 incidents of virtumonde and produce another HJT log. Thanks again.
I just had S&D remove the 6 Virtumonde and immunized (it appeared that it had not been fully immunized) and it hesitated during the internet explorer 32/bit section but did complete. Just wanted you update the matter.
pskelley
2007-11-21, 21:34
The last Kaspersky found two items, that you deleted. Spybot is probably finding registry leftovers. Go online and update Spybot, immunize and run a scan. Post the HJT log so I can take a look.
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html
Thanks
I did the above steps, S&D found nothing. The new HJT log is posted below. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5089 bytes
pskelley
2007-11-21, 23:35
That's a clean HJT log:bigthumb: Review the information from those experts I posted, those are some very knowledgeable folks in the malware/security business and the information will go a long way towards keeping you safe online.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Thanks...Phil
I have not used the computer since last wednsday last week (vacation) and I restarted S&D's Resident. Upon doing so numerous notifications came up asking to allow or deny various changes. I somehow denied 4 or so. Can I change that choice somehow? Also, I reconnected to the internet for the first time and IE runs pretty slow and a popup page attempted to open. Another S&D notification change appeared with category "BHO", change "key deleted" and entry name"955dbe41-c3f5-4eaa-944c-158d33flebf5. Almost forgot, I ran an S&D scan before all of this and one entry for "Fun Web Products" was returned which i fixed. Got any suggestions?
More specifically, the new window that opens links to "Buzznet Community". So far it appears to only open when surfing online.
pskelley
2007-11-26, 18:19
I am not real sure what suggestions you want, do you need tutorials for using Spy S&D and/or TeaTimer?
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html
http://www.voiceofthepublic.com/SSD/SI/teatimer.swf.html
http://russelltexas.com/malware/teatimer.htm
http://antivirus.about.com/od/securitytips/ss/hosts_6.htm
http://www.buzznet.com/ <<< see this
The last Kaspersky scan and HJT log I looked at were clean, anyone downloading junk besides you? "FunWebProducts" usually comes as an adware download that is done by someone with access to the computer. They usually think something is "free".
Thanks
Thats what has me concerned, nobody has used the computer since last week besides me and I only reconnected it to the internet this morning. When I type in a new address another window opens to the Buzznet Community website. Not quite sure why this is happening. Thought you may have seen this or have an idea about it?
pskelley
2007-11-26, 20:13
No I have not, post a new HJT log if you wish and I will start the process of trying to find out.
Thanks
Since my previous post several not so good things have happened. Symantec has given me two notices:
*the first states that Trojan.Vundo was found in "C:\system volume information/_restore{B906308C-E7CF-4D81-A411-C157A628241}/RP16\A0000446.dll" and was quarantined.
* The second states that Trojan.Vundo was found in "C:\windows\system32\ujykbrrp.dll", also quarantined.
I ran an AVG scan which returned two incidents:
* the first is Trackingcookie.Coremetrics
* the second is Downloader.Tiny.id
Also, upon restart, S&D Teatimer asked me to "Allow" or "Deny" two changes:
* the first being a registry change by the name of "6c9e2ecd" which is reminiscent of the file(s) you had me delete in post #12 (i believe).
* the second attempted change was of the IE home page, something tried to change it from google to microsoft.
That is where I am now, I have not yet let AVG fix/delete the two files I spoke of. Should I have AVG delete them? Also, I know you need another HJT log but should I scan before or after the AVG fix in the previous sentence. Thanks for the help, again. :red:
pskelley
2007-11-26, 20:47
*the first states that Trojan.Vundo was found in "C:\system volume information/_restore{B906308C-E7CF-4D81-A411-C157A628241}/RP16\A0000446.dll" and was quarantined.Symantec can not clean/quarantine System Restore files, they are protected, there are cleaned like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
* The second states that Trojan.Vundo was found in "C:\windows\system32\ujykbrrp.dll", also quarantined.Navigate to that file in red and delete it.
If it was quarantined, delete it there.
* the first is Trackingcookie.Coremetricshttp://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
* the second is Downloader.Tiny.idHave no idea what that is, I would need the name and location.
Thanks
Ok Phil, I have completed all of the above steps, did the system restore, did not find the Trojan.Vundo in system32 but found it in Symantec quarantine and deleted that (along with one or two others), I used AVG to delete the tracking cookie and the Downloader.Tiny.Id (although this was done last time too). I searched for the "downloader.tiny.id" at the location specified by Symantec, C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe" and it was not there. I have completed a new HJT log and it is below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47, on 2007-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jnrngaay.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5880 bytes
It seems like something is being missed that, when connected to the internet or on reboot, is downloading more of the same junk that was previously removed. Also, is there a way to look into the system restore to verify that the Trojan.Vundo from the above post was removed?
I remember that you wanted me to use Combofix but it was not working properly. Has this issue been solved? If so maybe it would help the situation.
pskelley
2007-11-26, 23:19
C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe
Did you make sure all files and folders were showing?
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
These malware writers know how to hide junk. Make sure everything recent is deleted from that Temp folder in red, run ATF-Cleaner and run cleanManager also:
http://spyware-free.us/tutorials/cleanmgr/
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jnrngaay.exe
This is active, we need to stop the service before you can kill it:
Open a command prompt (start run type cmd press enter) type
sc delete "DomainService"
press enter, type exit and press enter to exit the command prompt
Now delete that file: C:\WINDOWS\system32\jnrngaay.exe
Also, is there a way to look into the system restore to verify that the Trojan.Vundo from the above post was removed?Not that I am aware of, that's why we use scans that show the infection. No scan can touch those protected files, but they can show us the infection.
The rest of the HJT appears clean right now. You said:
I remember that you wanted me to use Combofix but it was not working properly. Has this issue been solved? If so maybe it would help the situation.
Can't hurt, the creator of combofix had his internet service go down and it is up and running.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
I am positive that all of the files are showing because I made sure that i went back and hid them after I thought I was cleaned. After the problems resurfaced i had to unhide them again. I believe the reason that I did not find C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe is because it was found by AVG and deleted first. I have downloaded Combofix and will begin the rest of the steps and then the scan. Just wanted to fill you in on the above hidden files issue.
Sorry it took awhile to reply. I think this site was having issues. Anyway, I have completed the steps you recommended. I ran the ATF-Cleaner, Cleanmgr, command prompt, "DomainService", etc. but I could not locate "C:\WINDOWS\system32\jnrngaay.exe". Perhaps it was one of the files removed by the AVG scan I mentioned in a previous post? A couple of thing arose that I'm not sure of. An S&D notification window opened asking me to allow or deny a change about "category:User specific brower toolbar", "change: value deleted", "new entry: 11A69AE4.....etc. Should I deny this? I saw this same item referenced in post #4 of the below thread.
http://forums.spybot.info/search.php?searchid=633476)
Also, a windows security alert window opened asking me to block or unblock "Javaw". Any suggestions. Anyway, the Combofix log is below. Thanks again.
ComboFix 07-11-19.4 - ship 2007-11-27 8:57:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.157 [GMT -5:00]
Running from: C:\Documents and Settings\ship\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\pac.txt
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-26 11:13 84,545 --a------ C:\WINDOWS\system32\okwxxfhv.dll
2007-11-26 11:07 80,960 --a------ C:\WINDOWS\system32\rcmkareq.dll
2007-11-21 10:53 <DIR> d-------- C:\VundoFix Backups
2007-11-21 10:07 714,281 --ahs---- C:\WINDOWS\system32\klspifxh.ini
2007-11-21 10:07 84,545 --a------ C:\WINDOWS\system32\hxfipslk.dll
2007-11-21 10:01 80,960 --a------ C:\WINDOWS\system32\rlvuqhyj.dll
2007-11-19 09:12 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-19 09:11 <DIR> d-------- C:\Program Files\Java
2007-11-19 09:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-15 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 10:00 79,936 --a------ C:\WINDOWS\system32\mxxvbimm.dll
2007-11-14 12:24 <DIR> d-------- C:\Documents and Settings\ship\Application Data\Grisoft
2007-11-14 12:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-14 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 21:28 672,261 --ahs---- C:\WINDOWS\system32\sfddpoxy.ini
2007-11-13 09:11 <DIR> d-------- C:\TEMP\abW9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 14:47 --------- d-----w C:\Program Files\Google
2007-11-15 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 16:27 --------- d-----w C:\Program Files\lmw32
2007-10-09 16:09 49,152 ----a-w C:\Documents and Settings\ship\PNPrint3.exe
2007-06-05 04:51 96,824 ----a-w C:\Documents and Settings\DOROTHY\Application Data\GDIPFONTCACHEV1.DAT
2006-04-12 13:16 88,592 ----a-w C:\Documents and Settings\ship\Application Data\GDIPFONTCACHEV1.DAT
2005-07-19 12:46 69,128 ----a-w C:\Documents and Settings\samrab\Application Data\GDIPFONTCACHEV1.DAT
2005-04-25 16:49 25,680 --sha-w C:\WINDOWS\msagent\rvsnur.bak1
2005-04-29 16:50 442,796 --sha-w C:\WINDOWS\msagent\rvsnur.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01408191-AA0E-4E1F-99F5-59AFB71DA20F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
C:\WINDOWS\system32\iifggge.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c0404a5-2dbc-400c-b866-330068b9c644}]
2007-11-26 11:07 80960 --a------ C:\WINDOWS\system32\rcmkareq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b03ac20d-d24d-4551-8def-feba2d87e8db}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4728951-1E39-450D-B2CB-2B48A73A4E02}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA2B1675-E3EB-4062-B876-20D8BE9C9A32}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2001-12-04 12:07 C:\WINDOWS\GWMDMMSG.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 00:21]
"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:40]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= C:\WINDOWS\system32\iifggge.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggge]
C:\WINDOWS\System32\NavLogon.dll 2003-05-21 00:19 45056 C:\WINDOWS\system32\NavLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
C:\WINDOWS\system32\req.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllml.dll
R0 rttmntr;R-TT Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\rttmntr.sys
R0 snaprtt;Acronis Snapshots Manager (R-TT);C:\WINDOWS\system32\DRIVERS\snaprtt.sys
R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
R2 rttfsfilt;R-TT FS Filter;C:\WINDOWS\system32\DRIVERS\rttfsfilt.sys
S1 ITE8872;ITE8872 PCI Super IO Driver;C:\WINDOWS\system32\drivers\ITE8872.sys
S2 ITE8872par;ITE8872 Parallel Driver;C:\WINDOWS\system32\drivers\ITE8872par.sys
S2 ITE8872ser;ITE8872 Serial Driver;C:\WINDOWS\system32\drivers\ITE8872ser.sys
S2 NTFILERW;NTFILERW;\??\C:\WINDOWS\System32\Drivers\NTFILERW.SYS
S3 FILEMON;FILEMON;\??\C:\WINDOWS\system32\drivers\DSYNC.SYS
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 14:11:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 09:10:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-27 9:14:21 - machine was rebooted
.
--- E O F ---
pskelley
2007-11-27, 18:37
I supplied you with tutorials for using Spybot and TeaTimer. If you have any more questions about those, post them here:
http://forums.spybot.info/forumdisplay.php?f=4
If you get a request for access and you do not know what it is, then deny it and use Google to find out where the request was from so you will know the next time.
You posted a dead link, check your links if you are going to post them.
Make sure all files and folders are visiable, these files may be gone, check and delete any you find.
C:\WINDOWS\system32\okwxxfhv.dll
C:\WINDOWS\system32\rcmkareq.dll
C:\WINDOWS\system32\klspifxh.ini
C:\WINDOWS\system32\hxfipslk.dll
C:\WINDOWS\system32\rlvuqhyj.dll
C:\WINDOWS\system32\mxxvbimm.dll
C:\WINDOWS\system32\sfddpoxy.ini
Here is the Google search engine: http://www.google.com/
Results of a search for "Javaw"
http://www.google.com/search?hl=en&q=Javaw&btnG=Search
Gotcha, I will post those questions in the other forum. I have deleted the files you specified. All went easy except for the "rcmkareq.dll". I had to delete it in safe mode. I thought I copied the link above properly but obviously not. :oops: The link below should (hopefully) be the correct one. The original post was done by "patientzero".
http://forums.spybot.info/showthread.php?t=19952&highlight=11A69AE4
pskelley
2007-11-27, 20:33
How is this computer running now?
I have yet to reconnect to the internet for fear of a reoccurrence like last time. Shall I reconnect?
Good Morning Phil. I am back online and so far so good. I briefly surfed around and did not get any pop-ups or other tabs opening in IE. I ran HJT to see if there was anything fishy and I found a few things that were not there the last few times I scanned. I will post it below for your review. Of particular concern are the BHO categorys, especially the ones referencing "iifggge.dll" and "rcmkareq.dll". The other BHO's I am unsure of. Also, there are two lines regarding "Winlogon Notifys". One for sure looks fishy (iifggge!). Anyway, here is the newest HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 2007-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {01408191-AA0E-4E1F-99F5-59AFB71DA20F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\iifggge.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {446c9b86-0033-668b-c004-cbd25a4040c6} - {6c0404a5-2dbc-400c-b866-330068b9c644} - C:\WINDOWS\system32\rcmkareq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b03ac20d-d24d-4551-8def-feba2d87e8db} - (no file)
O2 - BHO: (no name) - {B4728951-1E39-450D-B2CB-2B48A73A4E02} - (no file)
O2 - BHO: (no name) - {CA2B1675-E3EB-4062-B876-20D8BE9C9A32} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O20 - Winlogon Notify: iifggge - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6930 bytes
FYI: I ran an AVG and S&D scan prior to reconnecting the internet and neither found any issues. :)
pskelley
2007-11-28, 16:41
Thanks for posting, these are leftover junk (not active malware) but we should get rid of it. Understand spyware programs are designed to block changes, so we need to turn them off.
AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
TeaTimer is probably causing this, at times we have to uninstall the complete Spybot program to get this done.
TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
We will do this also: In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Once you are sure the above is done, then do this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {01408191-AA0E-4E1F-99F5-59AFB71DA20F} - (no file)
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\iifggge.dll (file missing)
O2 - BHO: {446c9b86-0033-668b-c004-cbd25a4040c6} - {6c0404a5-2dbc-400c-b866-330068b9c644} - C:\WINDOWS\system32\rcmkareq.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b03ac20d-d24d-4551-8def-feba2d87e8db} - (no file)
O2 - BHO: (no name) - {B4728951-1E39-450D-B2CB-2B48A73A4E02} - (no file)
O2 - BHO: (no name) - {CA2B1675-E3EB-4062-B876-20D8BE9C9A32} - (no file)
O20 - Winlogon Notify: iifggge - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner if you still have it if not use: http://spyware-free.us/tutorials/cleanmgr/
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Rstart and they should be gone. If they are not then uninstall Spybot S&D completely, reboot then do the removal again. Reboot, make sure the stuff is gone, then reinstall Spybot S&D.
For your information:
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Thanks
I have completed the steps including running resetteatimer.bat. The command window opens and says to make sure S&D and Teatimer is not running (which they aren't), pressing Enter starts the process and I get the message
C:\documents and settings\ship\desktop\getpaths.vbx(16, 1) Wscript.creatobjects: Could not create object named "wscript.shell".
and
'setpaths.bat' is not recognized as an internal or external command, operable program or batch file. Could not find C:\documents and settings\ship\desktop\setpaths.bat
Finished.
I did a google search for a guide or info on this program but came up with very little. I have not proceeded because I am unsure if it accomplished what we needed it to. If this has not done the job we hoped should I uninstall S&D all together?
pskelley
2007-11-28, 18:27
I have no idea why you got that message, it should have just happened. If the junk is still there, use the uninstall/reinstall method. The stuff is just clutter, not malware.
Thanks
I followed all of the procedures you suggested. I did an uninstall of S&D, verified that ALL of the junk files were removed, reinstalled S&D, ran an AVG scan and S&D scan, both of which came back clean, reconnected to the internet and surfed around for a minute or so and there appears to be no issue here. As a final step I have produced a final HJT log (I hope:)). Hope it passes.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2007-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6156 bytes
pskelley
2007-11-28, 21:39
Looks good:bigthumb:
Safe surfing
Good morning Phil. A bit foggy this morning isn't it (I'm in Clearwater too). I have reversed all of the changes you made to accomplish this project (re-hidden folders, turned on AVG, S&D, etc.) and everythings seems to be alright. Thanks for all of the help again and keep up the fight :bigthumb:.