Hello,

have you got any idea for what to do with these pop-ups? They sometimes direct me to site http://85.12.25.85, and more often try to make me install "WinAntiVirus Pro 2006".

Here are my Panda Activescan log and HJT log (after running SpyBot in safe mode).


Panda (none disinfected):

Possible Virus. C:\startdreck\StartDreck.exe


Spyware:Cookie/Ccbill F:\Documents and Settings\Mats\Application Data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[.ccbill.com/]


Spyware:Cookie/Reliablestats F:\Documents and Settings\Mats\Application Data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[stats1.reliablestats.com/]

Spyware:Cookie/FastClickF:\Documents and Settings\Mats\Application Data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[.fastclick.net/]


Spyware:Cookie/Toplist F:\Documents and Settings\Mats\Application Data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[.toplist.cz/]


Spyware:Cookie/onestat.com F:\Documents and Settings\Mats\Application data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[stat.onestat.com/]


Spyware:Cookie/Winantivirus F:\Documents and Settings\Mats\Application data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[www.winantivirus.com/]


Spyware:Cookie/Mediaplex F:\Documents and Settings\Mats\Application data\Mozilla\Firefox\Profiles\idl9evdv.default\cookies.txt[.mediaplex.com/]


Adware:Adware/IST.ISTBar F:\Documents and Settings\Mats\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-300ee9cf.zip[javainstaller/InstallerApplet.class]


Spyware:Cookie/YieldManager F:\Documents and Settings\Mats\Cookies\mats@ad.yieldmanager[1].txt


Spyware:Cookie/Advertising F:\Documents and Settings\Mats\Cookies\mats@advertising[1].txt


Spyware:Cookie/Atlas DMT F:\Documents and Settings\Mats\Cookies\mats@atdmt[2].txt


Spyware:Cookie/Mediaplex F:\Documents and Settings\Mats\Cookies\mats@mediaplex[1].txt


Spyware:Cookie/Searchportal F:\Documents and Settings\Mats\Cookies\mats@searchportal.information[1].txt


Spyware:Cookie/Reliablestats F:\Documents and Settings\Mats\Cookies\mats@stats1.reliablestats[2].txt


Spyware:Cookie/Tucows F:\Documents and Settings\Mats\Cookies\mats@tucows[1].txt


Adware:Adware/Maxifiles F:\Documents and Settings\Mats\Local Settings\Temp\b122.exe[mc-0-0-0.exe][²ÜÇ\nsProcess.dll]


Adware:Adware/PCodec F:\Documents and Settings\Mats\Local Settings\Temp\b122.exe[²ÜÇ\nsRandom.dll]


Adware:Adware/PrintView F:\Documents and Settings\Mats\Local Settings\Temp\b124.exe


Adware:Adware/Adservice F:\Documents and Settings\Mats\Local Settings\Temp\mst54B.tmp


Potentially unwanted tool:Application/SpywareQuake F:\Documents and Settings\Mats\Local Settings\Temp\sa550.exe[Spy-Quake2.exe]


Adware:Adware/SystemDoctor F:\Documents and Settings\Mats\Local Settings\Temp\temp.fr247D


Adware:Adware/Maxifiles F:\Documents and Settings\Mats\Local Settings\Temp\win542.tmp.exe


Adware:adware/securityerror F:\Documents and Settings\Mats\Suosikit\Antivirus Test Online.url


Potentially unwanted tool:Application/ServUBased.A F:\Program Files\Serv-U\ServUAdmin.exe


Potentially unwanted tool:Application/ServUBased.A F:\Program Files\Serv-U\ServUDaemon.exe


Potentially unwanted tool:Application/ServUBased.A F:\Program Files\Serv-U\ServUPerfCount.dll


Potentially unwanted tool:Application/ServUBased.A F:\Program Files\Serv-U\ServUTray.exe


Potentially unwanted tool:Application/VSToolbar F:\Program Files\VSToolbar\VSToolBar.dll


Possible Virus. F:\WINDOWS\system32\awvss.dll


Adware:Adware/SecurityError F:\WINDOWS\system32\ISMINI.0XE


Potentially unwanted tool:Application/VSToolbar F:\WINDOWS\system32\oiihfqik.exe


Virus:Bck/Agent.CWB F:\WINDOWS\system32\WINYOC32.0LL
--




Logfile of HijackThis v1.99.1
Scan saved at 19:29:11, on 24.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\F-Secure\Common\FSM32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\AWS\WeatherBug\WeatherBug.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\PokerOffice\bin\javaw.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
F:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
F:\Program Files\F-Secure\Anti-Virus\fssm32.exe
F:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\F-Secure\Common\FSMA32.EXE
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\F-Secure\Common\FSMB32.EXE
F:\Program Files\F-Secure\Common\FCH32.EXE
F:\Program Files\F-Secure\Common\FAMEH32.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\F-Secure\Common\FNRB32.EXE
F:\Program Files\F-Secure\Common\FIH32.EXE
F:\Program Files\F-Secure\Anti-Virus\fsav32.exe
F:\Program Files\Rainlendar\Rainlendar.exe
F:\Program Files\C&E\DTV\RC.exe
F:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\antispy.exe
F:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - F:\WINDOWS\system32\pbfnjitp.dll (file missing)
O2 - BHO: (no name) - {3939FFFA-C1A7-C238-4A78-0679F6FA47F9} - F:\WINDOWS\system32\rpjdwzg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {579BFCDD-AA97-8430-2F31-0604FEF1D82E} - F:\WINDOWS\system32\vfdjak.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {F7D0B404-41FA-40A6-B4EF-F73475EDC4D4} - F:\WINDOWS\system32\awvss.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POEngine] "F:\Program Files\PokerOffice\POEngine.exe" F:\Program Files\PokerOffice
O4 - HKLM\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zvelahk.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\zvelahk.dll,efsukif
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WeatherBug] F:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Baana.lnk = ?
O4 - Startup: Rainlendar.lnk = F:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: RC.lnk = F:\Program Files\C&E\DTV\RC.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = F:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138719195781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: awvss - F:\WINDOWS\system32\awvss.dll
O20 - Winlogon Notify: winyoc32 - winyoc32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - F:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - F:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - F:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - F:\WINDOWS\System32\mousehs.exe (file missing)

Welcome to the forum, this is the Vundo trojan and sometimes it takes several runs with the tool to delete it all. Before you move on, make sure all files located by Vundofix have bee deleted.

1) Are you positive this is a safe program?
F:\Program Files\PokerOffice\bin\javaw.exe

2) You have a nasty trojan running here: O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - F:\WINDOWS\System32\mousehs.exe (file missing) This fix is for it:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


(save the log until the instructions are finished)

3) Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(Vundo should say "file missing" or not be in the log after the fix is successful)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - F:\WINDOWS\system32\pbfnjitp.dll (file missing)
O2 - BHO: (no name) - {3939FFFA-C1A7-C238-4A78-0679F6FA47F9} - F:\WINDOWS\system32\rpjdwzg.dll
O2 - BHO: (no name) - {579BFCDD-AA97-8430-2F31-0604FEF1D82E} - F:\WINDOWS\system32\vfdjak.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {F7D0B404-41FA-40A6-B4EF-F73475EDC4D4} - F:\WINDOWS\system32\awvss.dll
(Vundo)
O4 - HKLM\..\Run: [zvelahk.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\zvelahk.dll,efsukif
(if you know the next item you can leave it)
O4 - Startup: Baana.lnk = ?
O20 - Winlogon Notify: awvss - F:\WINDOWS\system32\awvss.dll
(Vundo)
O20 - Winlogon Notify: winyoc32 - winyoc32.dll (file missing)
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - F:\WINDOWS\System32\mousehs.exe (file missing)
(should be gone)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items if there, do not miss them:

F:\WINDOWS\System32\mousehs.exe <<< delete that file

F:\WINDOWS\system32\zvelahk.dll <<< delete that file

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Report.txt from SDfix, vundofix.txt, a new HJT log and any comments you think will help.

Thanks

Your Java program is out of date and may be the reason for your infections, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
F:\Program Files\Java\jre1.5.0_05\ <<< out of date, update that one and keep it updated.

Thanks for the advice. I got rid of most of the stuff seen in HJT log; however, F:\WINDOWS\system32\awvss.dll seems to stay, even with multiple reboots using VundoFix.exe.

Also the most visible problem, the pop-ups, are still a problem.

Here are the logs for SpFix and HJT.





Logfile of HijackThis v1.99.1
Scan saved at 0:43:10, on 26.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
F:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
F:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
F:\Program Files\F-Secure\Anti-Virus\fssm32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\F-Secure\Common\FSMA32.EXE
F:\Program Files\F-Secure\Common\FSMB32.EXE
F:\Program Files\F-Secure\Common\FCH32.EXE
F:\Program Files\F-Secure\Common\FAMEH32.EXE
F:\Program Files\F-Secure\Common\FNRB32.EXE
F:\Program Files\F-Secure\Common\FIH32.EXE
F:\Program Files\F-Secure\Anti-Virus\fsav32.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\F-Secure\Common\FSM32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\AWS\WeatherBug\WeatherBug.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Rainlendar\Rainlendar.exe
F:\Program Files\C&E\DTV\RC.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\antispy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29557E01-978C-4224-A3F0-F314571F8040} - F:\WINDOWS\system32\awvss.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WeatherBug] F:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Baana.lnk = ?
O4 - Startup: Rainlendar.lnk = F:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: RC.lnk = F:\Program Files\C&E\DTV\RC.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = F:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138719195781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: awvss - F:\WINDOWS\system32\awvss.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - F:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - F:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - F:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
--


SDFix: Version 1.32
-------------------

Scan run on:
ke 25.10.2006

Time:
18:34


Microsoft Windows XP [versio 5.1.2600]

Running from: F:\Documents and Settings\Mats\Ty”p”yt„

Stage One...

Checking Services...

Name:
-----

mousehs

Path:
----

F:\WINDOWS\System32\mousehs.exe


mousehs Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------




Files:
------



Any files removed are saved to the SDFix\backups Folder

FINISHED
---


Thanks,

Matti

Hi Matti, this is the Vundo trojan that is causing the popups:
O2 - BHO: (no name) - {29557E01-978C-4224-A3F0-F314571F8040} - F:\WINDOWS\system32\awvss.dll

O20 - Winlogon Notify: awvss - F:\WINDOWS\system32\awvss.dll

You have removee the other trojan but this one has to go. You also did not post the Vundofix.txt so I can see what is happening. You need to run the fix again and sometimes it needs to run several times, until the Vundofix report indicates it has deleted all of the files, especially this one.


Here are the instructions again if you need them:
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Please post a new HJT log along with the Vundofix report this time. I do not need to see SDfix again, and you may uninstall it.

Thanks

Hi,

attached below are the logs of VundoFix and HJT. Initially the program couldn't remove the file F:\WINDOWS\system32\awvss.dll . After a couple of reboots suggested by VundoFix, the file had disappeared from the list of VundoFix, without any notice of the file being removed.

After this, I manually added the file awvs.dll to VundoFix. It keeps rebooting, but can't remove the file. I also tried running VundoFix in safe mode, but the results were similar.



VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Scan started at 18:48:09 25.10.2006

Listing files found while scanning....

F:\WINDOWS\system32\rpjdwzg.dll
F:\WINDOWS\system32\vfdjak.dll
F:\WINDOWS\system32\zvelahk.dll
F:\WINDOWS\system32\awvss.dll
F:\WINDOWS\system32\ssvwa.ini
F:\WINDOWS\system32\ssvwa.bak2

Beginning removal...

Attempting to delete F:\WINDOWS\system32\rpjdwzg.dll
F:\WINDOWS\system32\rpjdwzg.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\vfdjak.dll
F:\WINDOWS\system32\vfdjak.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\zvelahk.dll
F:\WINDOWS\system32\zvelahk.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\awvss.dll
F:\WINDOWS\system32\awvss.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\ssvwa.ini
F:\WINDOWS\system32\ssvwa.ini Has been deleted!

Attempting to delete F:\WINDOWS\system32\ssvwa.bak2
F:\WINDOWS\system32\ssvwa.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete F:\WINDOWS\system32\rpjdwzg.dll
F:\WINDOWS\system32\rpjdwzg.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\vfdjak.dll
F:\WINDOWS\system32\vfdjak.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\zvelahk.dll
F:\WINDOWS\system32\zvelahk.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\awvss.dll
F:\WINDOWS\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Attempting to delete f:\windows\system32\awvss.dll
f:\windows\system32\awvss.dll Could not be deleted.

Performing Repairs to the registry.
Done!
--

Logfile of HijackThis v1.99.1
Scan saved at 3:15:09, on 26.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
F:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
F:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
F:\Program Files\F-Secure\Anti-Virus\fssm32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\F-Secure\Common\FSMA32.EXE
F:\Program Files\F-Secure\Common\FSMB32.EXE
F:\Program Files\F-Secure\Common\FCH32.EXE
F:\Program Files\F-Secure\Common\FAMEH32.EXE
F:\Program Files\F-Secure\Common\FNRB32.EXE
F:\Program Files\F-Secure\Common\FIH32.EXE
F:\Program Files\F-Secure\Anti-Virus\fsav32.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\F-Secure\Common\FSM32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\AWS\WeatherBug\WeatherBug.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\Program Files\Rainlendar\Rainlendar.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\B2BPOKER\Pokerihuone\Client.exe
F:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\hijackthis\antispy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29557E01-978C-4224-A3F0-F314571F8040} - F:\WINDOWS\system32\awvss.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WeatherBug] F:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Baana.lnk = ?
O4 - Startup: Rainlendar.lnk = F:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = F:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138719195781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{180326C4-7524-4F4E-85D4-E2310764CBA4}: NameServer = 212.50.131.153 213.139.190.3
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: awvss - F:\WINDOWS\system32\awvss.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - F:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - F:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - F:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - F:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe



Thanks again,

Matti

Thanks Matti, before we try another fix, would you be sure that file is uploaded to Atribune so he can add it to the fix:

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

It is possible the guard.exe: F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe feature in AVG Anti-Spyware is blocking the change Vundofix is trying to make. Would you review this information:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/ and make sure the Guard feature is turned off. You may have to uninstall the program, but once you see the Guard.exe is missing then try the Vundofix again to see what happens.
You may want to think about F-Secure also, does it have a feature that blocks changes? If so, turn it off while you run Vundofix, or go offline and turn off F-Secure while you run Vundofix. Something is stopping it from working.

If that does not work, I will post another fix that sometimes works.

Thanks

Post back Matti

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.