View Full Version : Getting rid of the stubborn pop-ups
Please help! :eek:
Used Spybot, AVG 7.1 Professional to try to fix this but it keeps popping up "Drivecleaner" and other "Spyware Removal" websites as well as "mature" pop-ups and a desktop systray icon thats come around, i think i may have fixed the desktop stealing part but i haven't fixed the popups yet, after running HijackThis, this was my log:
------
Note that i also had a memory read error after pressing the log:
The instruction at "0x01ed80a3" referenced memory at "0x00000000". The memory could not be "read".
Click on Ok to terminate
------
is this because of the virus or something? anyways log is:
Logfile of HijackThis v1.99.1
Scan saved at 12:33:13 AM, on 10/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SERVICE.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\{DCB1BB22-070A-1033-0715-050501170001}\Update.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINNT\twain_32\ca561a\SnapDetect.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Documents and Settings\Steve\My Documents\AntiVirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: SnapDetect.lnk = C:\WINNT\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135637598656
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Auto Logon Service (AutoLogon) - Unknown owner - C:\Program Files\Macro Scheduler\autologonsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macro Scheduler Service (mschedsvc) - Unknown owner - C:\Program Files\Macro Scheduler\msschedsvc.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
please help, it seems the problem is only getting worse. Any time i get on either mozilla or internet explorer i start getting random pop-ups and "Warning" Boxes that appear telling me "*gasp* you have a virus! click here to destroy it" of course leading to more pop-ups... grr.. still need help if anyone can give it, thank you
Now i'm having "Explorer.exe" cotinually shut down, i'm really scared that this is a biproduct of the virus, does anyone have any suggestions?
after the errors i've been having, another hijack this log.. it may be the same, it may be different. i'm really not sure how to read it so i appologize if its the same!
---
Logfile of HijackThis v1.99.1
Scan saved at 2:12:30 AM, on 10/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SERVICE.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\{DCB1BB22-070A-1033-0715-050501170001}\Update.exe
C:\WINNT\twain_32\ca561a\SnapDetect.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Steve\My Documents\AntiVirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: SnapDetect.lnk = C:\WINNT\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135637598656
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Auto Logon Service (AutoLogon) - Unknown owner - C:\Program Files\Macro Scheduler\autologonsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macro Scheduler Service (mschedsvc) - Unknown owner - C:\Program Files\Macro Scheduler\msschedsvc.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
-----
Thanks again to any who help
pskelley
2006-10-15, 13:33
Welcome to the forum. tashi:) pinned valuable information to the top of the forum where you posted and you may have missed it, especially this one:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
You keep adding to the post and we look for posts with 0 indicating the member has received no help yet.
You have a nasty running from your services: http://www.symantec.com/security_response/writeup.jsp?docid=2003-082116-1050-99 and you will want to review that information to understand how it has compromised your security. You have other junk, but let's try this fix to kill this trojan.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Steve, there is a very good chance you also have a hidden Vundo trojan we will have to remove. Before you post that HJT log, return to here:
C:\Documents and Settings\Steve\My Documents\AntiVirus\HijackThis.exe <<< right click and rename the .exe to say eSteve.exe or whatever you like. Restart the computer so the change can take effect and make a new HJT log. If the hidden junk is there you will see it in BHO 02 and 020 Winlogon.
Thanks
|---------------------|
|Report.txt from SDFIX|
|---------------------|
SDFix: Version 1.28
-------------------
Scan run on:
Sun 10/15/2006
Time:
9:41a
Microsoft Windows 2000 [Version 5.00.2195]
Running from: C:\Documents and Settings\Steve\Desktop\SDFIX\SDFix
Stage One...
Checking Services...
Name:
-----
Path:
----
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting!
Stage Two...
Registry Cleaning Finished...
Checking For Malware Files:
--------------------------
Backing Up and Removing any Files Found...
Final Check:
Remaining Services:
------------------
Remaining Files:
--------------
*Any removed Files are saved in the SDFix\backups Folder*
*FINISHED*
------------------------------====================-------
new hijackthis.log after renaming to esteve.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:15:40 AM, on 10/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SERVICE.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINNT\twain_32\ca561a\SnapDetect.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Steve\My Documents\AntiVirus\eSteve.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A16C3D6-226F-C0ED-A221-07A593FF2ADB} - C:\WINNT\system32\vklkedm.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\system32\wydilwqp.dll (file missing)
O2 - BHO: (no name) - {30DCEF58-85D9-47D8-89B8-26B5AFEE08C0} - C:\WINNT\system32\ddabc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: SnapDetect.lnk = C:\WINNT\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135637598656
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O20 - Winlogon Notify: ddabc - C:\WINNT\system32\ddabc.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Auto Logon Service (AutoLogon) - Unknown owner - C:\Program Files\Macro Scheduler\autologonsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macro Scheduler Service (mschedsvc) - Unknown owner - C:\Program Files\Macro Scheduler\msschedsvc.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
------------------------------------------------------------------------
hope this helps further your search for viruses on my computer and i really appreciate the help so far, thank you!!!
pskelley
2006-10-15, 21:41
OK and thanks for returning the information. The SDFix did not remove that worm, so we will have to do it manually. You seem to handle yourself well, so I will post all of the instructions at once. If you have questions, please do not hesitate to post them.
We will remove the Vundo trojan first, and it looks like this:
O2 - BHO: (no name) - {30DCEF58-85D9-47D8-89B8-26B5AFEE08C0} - C:\WINNT\system32\ddabc.dll
O20 - Winlogon Notify: ddabc - C:\WINNT\system32\ddabc.dll
Please understand the hackers keep changing the name of the .dll and the fix Atribune created for us learns if it does not know the file the first time. Sometimes it has to be run several times, until you see that all of the files the fix locates "have been deleted". At that point, move to the next instructions.
If you see a file not recognized the first time, it would be so helpful if you would use the link provided to upload that file so Atribune can add it to the fix.
Thanks to Atribune and any others who helped with this fix.
1) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(save those logs until the end of the instructions)
2) This item running a a service is going to be tricky also, look at it:
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE
What is important is that you know this bad file is in the C:\WINNT\ folder, you must not touch the valid file which is in the C:\WINNT\system32\ <<< the item in this folder is GOOD and must not be touched.
3) Now we need to disable the service so we can delete the file:
Disable the offending Service
Click Start > Run and type services.msc
Scroll down to : service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
I would like to delete that service but without knowing the name, I am fearful. We will delete the file (hopefully) and see what happens.
4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {0A16C3D6-226F-C0ED-A221-07A593FF2ADB} - C:\WINNT\system32\vklkedm.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\system32\wydilwqp.dll (file missing)
O2 - BHO: (no name) - {30DCEF58-85D9-47D8-89B8-26B5AFEE08C0} - C:\WINNT\system32\ddabc.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
(next two are Alexa toolbar resource wasters, if you do not use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm G
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
(next is Vundo and it should be gone)
O20 - Winlogon Notify: ddabc - C:\WINNT\system32\ddabc.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
(next may be gone since you disabled it)
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\SERVICE.EXE <<< delete that file (once again, make sure of which folder you are in!)
If you are able to delete that C:\WINNT\SERVICE.EXE file, that's great. If not then do the instructions in #8
8) How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINNT\SERVICE.EXE and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Make sure the computer is restated and post the results of VundoFix, a new HJT log and let me know how the computer is running now. I also need any comments you think will help.
Thanks...Phil
After following all of your instructions, this is what my logs say. I'd like to further comment by saying i'm pretty confident that if the virus isn't removed, it is at the very least disabled. I have had no more pop-ups randomly appearing or popping up in between site navigation, so it looks like all systems are go :bigthumb: :D: , still better safe than sorry, here are my logs:
---------
Vundo Fix
---------
VundoFix V6.2.2
Checking Java version...
Java version is 1.5.0.8
Scan started at 11:34:21 PM 10/15/2006
Listing files found while scanning....
C:\WINNT\system32\mqkdarn.dll
C:\WINNT\system32\opnoppm.dll
C:\WINNT\system32\vklkedm.dll
C:\WINNT\system32\fqanotfg.exe
C:\WINNT\system32\ddabc.dll
C:\WINNT\system32\cbadd.ini
C:\WINNT\system32\cbadd.bak1
C:\WINNT\system32\cbadd.bak2
C:\WINNT\system32\cbadd.ini2
C:\WINNT\system32\cbadd.tmp
Beginning removal...
Attempting to delete C:\WINNT\system32\mqkdarn.dll
C:\WINNT\system32\mqkdarn.dll Has been deleted!
Attempting to delete C:\WINNT\system32\opnoppm.dll
C:\WINNT\system32\opnoppm.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vklkedm.dll
C:\WINNT\system32\vklkedm.dll Has been deleted!
Attempting to delete C:\WINNT\system32\fqanotfg.exe
C:\WINNT\system32\fqanotfg.exe Has been deleted!
Attempting to delete C:\WINNT\system32\ddabc.dll
C:\WINNT\system32\ddabc.dll Has been deleted!
Attempting to delete C:\WINNT\system32\cbadd.ini
C:\WINNT\system32\cbadd.ini Has been deleted!
Attempting to delete C:\WINNT\system32\cbadd.bak1
C:\WINNT\system32\cbadd.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\cbadd.bak2
C:\WINNT\system32\cbadd.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\cbadd.ini2
C:\WINNT\system32\cbadd.ini2 Has been deleted!
Attempting to delete C:\WINNT\system32\cbadd.tmp
C:\WINNT\system32\cbadd.tmp Has been deleted!
Performing Repairs to the registry.
Done!
--------------------------
Most recent Hijackthis log
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:02:12 PM, on 10/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINNT\twain_32\ca561a\SnapDetect.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Steve\My Documents\AntiVirus\eSteve.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: SnapDetect.lnk = C:\WINNT\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135637598656
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{30394724-E827-4267-B2FB-38CD9DAE7DD7}: NameServer = 192.168.1.1
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Auto Logon Service (AutoLogon) - Unknown owner - C:\Program Files\Macro Scheduler\autologonsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macro Scheduler Service (mschedsvc) - Unknown owner - C:\Program Files\Macro Scheduler\msschedsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
pskelley
2006-10-18, 23:29
Thanks for returning your information Steve, you have programs I had not seen before but everything appears to be legit. I would say we killed the junk, you may rename HJT if you wish and can uninstall the tools we used thus far, they have to be updated often and would be of no use to you. The exception would be ATF-Cleaner, you can keep it and here is a tutorial for using it: http://forums.security-central.us/showthread.php?t=1925
I would like to take one more look with a good Spyware scan if it is OK with you. If that sounds good, then follow the directions in this link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Post the Report-Scan.txt and if there are no surprises we will get you on your way with some great information to help you stay safe.
Thanks...Phil
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.