View Full Version : NewDotNet & Winfixer - can't get rid of them
Little Oscar
2006-04-03, 05:05
Thanks for looking at this. NewDotNet shows up on S&D scan, but does not get fixed even after restarting as instructed. I've tried several possible fixes that I found on the web including the uninstall on NDN website. Nothing has worked. At the same time, LS Ad-Aware reboots computer when 1st critical object shows up. I was able to stop the scan to see that it was WINFIXER before it rebooted. Computer crawls from application to application now. Web pages stall periodically. I'm a novice and don't know what to do now. I updated S&D and LS A-A before running HijackThis. Thanks for any help you can give!
Logfile of HijackThis v1.99.1
Scan saved at 6:58:00 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rss.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVDN] C:\WINDOWS\LVDN.exe
O4 - HKLM\..\Run: [secsrvrc] C:\WINDOWS\System32\secsrvrc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RpcSubSystem] C:\WINDOWS\system32\rss.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwiarq.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll
O20 - Winlogon Notify: winres32 - C:\WINDOWS\SYSTEM32\winres32.dll
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe (file missing)
LonnyRJones
2006-04-07, 07:52
Sorry for the delay
If your not being assisted at another forum ? >
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two minutes then Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Little Oscar
2006-04-09, 01:59
Thank you, Lonny. Here are the results of VundoFix & HijackThis:
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstb.bak2
C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
Logfile of HijackThis v1.99.1
Scan saved at 5:49:00 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\RSS.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\MSNCC.EXE
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\WA\MSNACCEL.EXE
C:\hijackthis\HijackThis.exe
C:\hijackthis\HijackThis.exe
C:\hijackthis\HijackThis.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: (no name) - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVDN] C:\WINDOWS\LVDN.exe
O4 - HKLM\..\Run: [secsrvrc] C:\WINDOWS\System32\secsrvrc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RpcSubSystem] C:\WINDOWS\system32\rss.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwiarq.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E40B955-332F-49BE-9B6B-E30793DA6E0F}: NameServer = 198.6.100.218 198.6.1.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O20 - Winlogon Notify: winres32 - C:\WINDOWS\SYSTEM32\winres32.dll
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe (file missing)
Next step?
Oscar
LonnyRJones
2006-04-09, 02:53
In addremove programs uninstall WINFIXER if listed
Optional uninstalls>
uninstall any mywebsearch programs.
uninstall any viewpoint programs.
Turn off SpyBots tea timer and the bigfix program for now
Open a command prompt (start run type cmd press enter) type
sc delete "Windows SMX"
press enter, type exit and press enter to exit the command prompt
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - (no file)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - (no file)
O4 - HKLM\..\Run: [LVDN] C:\WINDOWS\LVDN.exe
O4 - HKLM\..\Run: [secsrvrc] C:\WINDOWS\System32\secsrvrc.exe
O4 - HKLM\..\Run: [RpcSubSystem] C:\WINDOWS\system32\rss.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwiarq.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab (http://cabs.elitemediagroup.net/cabs/mediaview.cab)
====================================
Hit fix checked and close Hijackthis.
Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\SYSTEM32\winres32.dll
C:\WINDOWS\LVDN.exe
C:\WINDOWS\System32\secsrvrc.exe
C:\WINDOWS\system32\rss.exe
C:\WINDOWS\winsmx.exe
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post a fresh hijackthis log please
Little Oscar
2006-04-09, 20:03
Lonny - Tasks accomplished. Here's the current HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:57:10 AM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\MSNCC.EXE
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\WA\MSNACCEL.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1
\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN
Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006
\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local
Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -
nag
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Update Page Content - C:\Program
Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program
Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program
Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program
Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32
\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E40B955-332F-49BE-9B6B-E30793DA6E0F}: NameServer =
198.6.100.218 198.6.1.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O20 - Winlogon Notify: winres32 - winres32.dll (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32
\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. -
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1
\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1
\INTERN~1\tmproxy.exe
LonnyRJones
2006-04-10, 00:04
Hi
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NI.UWAS6_0001_N68M2301"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winres32]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
Post another Hijackthis log, this time try turning on wordwrap so the formating stays the same.
Post a report from one or both of these free online scans
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Little Oscar
2006-04-10, 07:30
Lonny - Done. Here are the log & reports:
Logfile of HijackThis v1.99.1
Scan saved at 8:37:39 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\MSNCC.EXE
C:\PROGRAM FILES\MSN\MSNIA\CC\MSNCC\WA\MSNACCEL.EXE
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E40B955-332F-49BE-9B6B-E30793DA6E0F}: NameServer = 198.6.100.218 198.6.1.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
I ran the Panda scan, but it's too much volume to send. It will follow shortly as Part 2. Sorry.
Little Oscar
2006-04-10, 07:36
From Panda:
Incident Status Location
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\PROGRAM FILES\MSN MESSENGER\RICHED20.dll
Adware:adware/gator Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\bundle.inf
Adware:adware/keenvalue Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\IncrediFindBHOLog.tmp
Adware:adware/sqwire Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\tsinstall_4_0_3_1.exe
Adware:adware/deskwizz Not disinfected C:\WINDOWS\SYSTEM32\ad.html
Potentially unwanted tool:application/mywebsearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Adware:adware/comet Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\cc.inf
Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Julie\Application Data\tvmknwrd.dll
Spyware:spyware/apropos Not disinfected C:\contextplus.exe
Spyware:spyware/searchcentrix Not disinfected C:\WINDOWS\adrsb.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\adtech2006.exe
Adware:adware/exact.bargainbuddy Not disinfected C:\WINDOWS\bargain2.exe
Adware:adware/ncase Not disinfected C:\WINDOWS\msbbi.exe
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/wintools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\msiein
Adware:adware/vaultsearch Not disinfected C:\PROGRAM FILES\COMMON FILES\VCClient
Adware:adware/downloadware Not disinfected Windows Registry
Potentially unwanted tool:application/winantispyware2006 Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\WINANTISPYWARE 2006 SCANNER
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Julie\Cookies\julie@statcounter[1].txt
Virus:Trj/VB.KN Not disinfected C:\31567.exe
Adware:Adware/DollarRevenue Not disinfected C:\4252.exe
Adware:Adware/DollarRevenue Not disinfected C:\462.exe
Virus:Trj/Agent.AWK Not disinfected C:\contextplus.exe
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\Friend\Cookies\friend@centralmedia[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Friend\Cookies\friend@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Friend\Cookies\friend@rightmedia[1].txt
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Friend\Local Settings\Temp\saveinstwm.exe
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Friend\Local Settings\Temp\~363009.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Friend\Local Settings\Temp\~566777.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Julie\Cookies\julie@statcounter[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@c.enhance[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@ct.360i[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@dist.belnk[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@i.screensavers[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@rightmedia[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Cookies\julie@www.burstbeacon[1].txt
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\PccMsi\backup\T\60204000.DAT
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\temp.fr9A56\common.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\temp.fr9A56\TBPS.exe
Adware:Adware/SearchWWW Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\temp.fr9A56\Update\toolbar.dll
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\Tvm.upd
Don't know what the deal is! Part 3 to follow. I hope.
Little Oscar
2006-04-10, 07:39
2nd half of Panda scan:
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~311142.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~341875.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~348716.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~357445.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~365063.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~377593.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~379563.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~379737.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~399579.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~407990.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~427772.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~483016.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~485747.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~501555.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~504128.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~514687.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~527434.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~549571.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~556961.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~589044.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~641485.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~670198.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~702405.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~756531.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~770923.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~795155.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~795204.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~822387.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~824373.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~861565.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~908901.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~918897.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~938291.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~954878.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Julie\Local Settings\Temp\~991832.tmp
Still too big! This is insane! I'm so sorry! Part 4 should be the end.
Little Oscar
2006-04-10, 07:40
Panda scan - the end.
Virus:W32/Sdbot.GIL.worm Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JBL4EOG\3zvo80[1].jpg
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JBL4EOG\77p6ov[1].jpg
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JBL4EOG\Installer[1].exe
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JBL4EOG\NNSCAA638[1].EXE
Virus:W32/Sdbot.FXH.worm Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JBL4EOG\Picture_9[1].exe
Virus:Trj/VB.KN Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0JB34EX\dnvzd6[1].jpg
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0JB34EX\ZICORN001[1].exe
Virus:Bck/Agent.BDP Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PQRST34W\10ngy7r[1].jpg
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PQRST34W\sjq3lg[1].jpg
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XP8ISTUV\77p6ov[1].jpg
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XP8ISTUV\winsysupd3[1].exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\do_work\awfvsmdj.exe
Adware:Adware/Look2Me Not disinfected C:\Installer.exe
Spyware:Spyware/New.net Not disinfected C:\NNSCAA638.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Virus:Bck/Agent.BDP Not disinfected C:\TmpSs32.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\adtech2006.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Virus:W32/Sdbot.FXH.worm Not disinfected C:\WINDOWS\msvcrs.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SnVsaWU\mBpPuqo.vbs
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\ad.html
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\AdService.dll
Adware:Adware/VirtualBouncer Not disinfected C:\WINDOWS\system32\BO2802040113.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\f3PSSavr.scr
Adware:Adware/NetPals Not disinfected C:\WINDOWS\system32\Ia1cm.dll
Virus:W32/Sdbot.GIL.worm Not disinfected C:\WINDOWS\temp\eraseme_85423.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\temp\tsinstall_4_0_4_0_b4.exe
Adware:Adware/Zenosearch Not disinfected C:\ZICORN001.exe
LonnyRJones
2006-04-10, 13:09
Clear temps with a program such as System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.
C:\TmpSs32.exe
C:\WINDOWS\adtech2006.exe
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\cc.inf
C:\WINDOWS\msvcrs.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\system32\ad.html
C:\WINDOWS\system32\AdService.dll
C:\WINDOWS\system32\BO2802040113.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\Ia1cm.dll
C:\ZICORN001.exe
C:\do_work\awfvsmdj.exe
C:\Installer.exe
C:\NNSCAA638.EXE
C:\31567.exe
C:\4252.exe
C:\462.exe
C:\contextplus.exe
C:\Documents and Settings\Julie\Application Data\tvmknwrd.dll
C:\WINDOWS\adrsb.exe
C:\WINDOWS\adtech2006.exe
C:\WINDOWS\bargain2.exe
C:\WINDOWS\msbbi.exe
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
After the PC has restarted manualy delete he folders listed below
C:\PROGRAM FILES\COMMON FILES\VCClient
C:\WINDOWS\SnVsaWU
C:\PROGRAM FILES\Lycos
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
Little Oscar
2006-04-11, 06:09
Lonny - The search did not find C:\WINDOWS\SnVsaWU. There were no hidden files found from Backlite. Anything else?
LonnyRJones
2006-04-11, 07:03
Turn Tea timer back on and accept any changes
"There were no hidden files found from Backlite"
Thats a good thing
C:\WINDOWS\SnVsaWU will be a hidden folder, do you have hidden files folders and extensions set to be shown ?
Set windows to show hidden file's, folders and extension's.
Click Start.
Open any folder.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Uncheck hide extension's for known file types
Click Apply to confirm.
Click OK.
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
Little Oscar
2006-04-13, 07:05
Lonny - thanks! Got that done. PC running normal again. Still have NewDotNet showing up on S&D scan. Is there more to do to get rid of it?
LonnyRJones
2006-04-13, 07:39
Post the topmost part of a SpyBot report, down to and including SSD's updates.
Open SpyBot 1.4, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools and view report, ensure all the options are select near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report, Press export, in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "manage attachments" button , navigate to and attach or post that report please.
Little Oscar
2006-04-14, 17:06
I hope this is right, Lonny. I deleted everything from "system information" down from the report.
--- Search result list ---
Web-Nexus: Autorun settings (winsync) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsync
NewDotNet: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\Tldctl2.URLLink
NewDotNet: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\Tldctl2.URLLink.1
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-05 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-07 Includes\Cookies.sbi (*)
2006-04-07 Includes\Dialer.sbi (*)
2006-04-07 Includes\Hijackers.sbi (*)
2006-04-07 Includes\Keyloggers.sbi (*)
2006-04-07 Includes\Malware.sbi (*)
2006-04-07 Includes\PUPS.sbi (*)
2006-04-07 Includes\Revision.sbi (*)
2006-04-07 Includes\Security.sbi (*)
2006-04-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-07 Includes\Trojans.sbi (*)
(Sorry that I didn't see the attachment for files earlier on. Duh.)
LonnyRJones
2006-04-14, 17:19
Does that Web-Nexus: Autorun settings, keep showing up ?
Lets try this for the NewDotNet entries
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Classes\Tldctl2.URLLink]
[-HKEY_LOCAL_MACHINE\Software\Classes\Tldctl2.URLLink.1]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Run another SpyBot check for problems > fix then post the same part of a log like you just did.
Little Oscar
2006-04-15, 18:10
Lonny - the Web-Nexus shows fixed but it shows up again on the next scan.
Attached is the SDD report after fix.me task.
LonnyRJones
2006-04-15, 23:15
Those newdotnet items appear to be harmless leftovers, I suggest leaving them unless your already familur and comfortable with regedit ?
Are tea timer and bigfix still turned off ?
Little Oscar
2006-04-17, 04:42
I will just leave them, Lonny. Tea-timer is still off. BigFix reopens each time the PC restarts. Looks like we're done, yes?
LonnyRJones
2006-04-17, 05:01
If tea timer is set to not start with windows then this item
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwiarq.exe reg_run
Should be fixed with hiajckthis and it should stay fixed.
In other words if you choose the wrong decision when tea timer alerted it can put back the reg entry, even if the file (real infection) is no longer there.
Fix it once again (with hijackthis)then restart your pc and check if its back
Another great program to have its ewido, its a trial, You can continue to use it after the trial period but without its resident. http://www.ewido.net/en/download/
Little Oscar
2006-04-20, 06:50
Lonny - I turned off tea-timer and ran HJT as instructed. There was some of the junk from 04/09/06 report as well as the 04...[winsync]... I fixed those and think that I got everything but I'm attaching the HJT for your review.
LonnyRJones
2006-04-20, 10:09
Hi
Scan and fix these with hijackthis
O2 - BHO: (no name) - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - (no file)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - (no file)
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -nag
================
Turn off Tea Timer (right-click its icon in the tray area near the windows close and choose exit)
and close SpyBot if open. Download ResetTeaTimer.bat (rightclick save as)
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page.
Let us know if any items we have fixed show again in a hijackthis log
Little Oscar
2006-04-21, 06:02
Lonny - This one is still there after completing tasks:
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\OJML6XML\WinAntiSpyware2006FreeInstall[1].exe" -nag
HJT log attached.
LonnyRJones
2006-04-21, 06:29
OK, Lets use a regfix
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file. (not including the word code)
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NI.UWAS6_0001_N68M2301"=-
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
If tea timer is on and alerts to the change click allow, do not tick the box to remember the decision..
Little Oscar
2006-04-22, 06:38
Lonny - that did it! YEAAAA! Is there anything else that needs to be done?
LonnyRJones
2006-04-22, 06:49
You turned Tea timer back on ?
Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see >
http://forums.spybot.info/showthread.php?t=27
Stay safe
Little Oscar
2006-04-22, 20:17
Lonny - I can't thank you enough for all your help, patience and advice! You are a gem indeed! THANK YOU! THANK YOU! THANK YOU!
LonnyRJones
2006-04-27, 15:17
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.