Please Help

[nannerzlewis]

I have been trying to remove everything from my notebook (spyware,adware,) I'm not sure if the computer has a virus or not. I have the program Antispyware and the only thing that the scans show is a Downloader bug called Vundo. I have listed below the HiJackThis log that I ran after I've done all that I know to do. If someone could advise me as to what to do, I would greatly appreciate it!!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:53 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\ipqjdgbn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\AntiSpywareApp\AntiSpyware.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\tjabgagn.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\ipqjdgbn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8379500C-86A1-4567-B920-BB7612D889F8}: NameServer = 68.28.50.91 68.28.58.92
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

--
End of file - 3174 bytes

 

[shelf life]

hi,

AntispywareApp

that is a rouge spyware remover, i would uninstall it via the add/remove programs panel.

first we will use hjt, then boot computer into safe mode to look for some files to delete.

first hjt:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\tjabgagn.dll",b

O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\ipqjdgbn.exe

try this:
go to start>run and type in the window cmd, click ok at the prompt type in:

regsvr32.exe /u tjabgagn.dll
note: there is a space after the exe and before the /
-----------------------------------
boot computer into safe mode by tapping the f8 key during a computer restart. might want to copy/paste this into notepad so you can find and read it in safe mode;

once in safe mode navigate to the:
C:\WINDOWS\system32\ dir

once there see if you can locate and delete:

ipqjdgbn.exe
tjabgagn.dll

also do this in safe mode:
using explorer(right click on start>explore) drill down to these you want to delete whats >inside< the folder, not the folder itself.



C:\Windows\Temp\



C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)



C:\Documents and Settings\-Your Profile-\Local Settings\Temp\



C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\



C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

and this:

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:



Temporary Files

Temporary Internet Files

Recycle Bin
-------------------------------------------------
reboot computer normally. first stop:
download, install, update and scan with ONE of these:

http://free.grisoft.com/doc/20/lng/us/tpl/v5

or

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
------------------------------------------------------
rescan and post a new hjt log after the above please.