Mutiple Issues, unable to resolve on my own.

**Arryndel** · 2007-06-02, 00:14

For the past three days I've had multiple recurring issues that I can't seem to resolve. I've been running SB S&D, AdAware, CCleaner, and a few others (not at the same time) and keep finding items returning. I'm providing the logs for HJT, SB, AdAware and CCleaner (some in safe mode and in regular mode). I have also tried running House Call but am having an issue where I'm not able to finish the scan, I also have recently installed Windows Live OneCare which keeps finding the same TROJ_ issues and claims to repair them but they just show up again. Another issue that I am having is when the pc boots into windows (regular or safe mode) I will sometimes get an error stating szAppName: services.exe..., the file that is listed for the report is C:\Doc~1\Default\Local~1\temp\Wer37ef.dir00\services.exe.mdmp and \appcompat.txt, after clicking to close the report the pc then states that it is shutting down and gives a count down which at the end of the pc does not actually shut down but instead all desktop icons are removed as well as the task bar and I am left with a blank blue screen and must cold boot the pc for it to reboot. Thank you in advance for your assistance with these issues. Here are the logs, I can try and provide any other logs you may need.

HJT Safe Mode

Logfile of HijackThis v1.99.1
Scan saved at 2:47:49 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hnoxrdeg.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

HJT Regular Mode

Logfile of HijackThis v1.99.1
Scan saved at 2:32:02 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hnoxrdeg.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

AdAware in safe mode

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, June 01, 2007 3:02:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R173 29.05.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-1-2007 3:02:44 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Default\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1788223648-1801674531-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 6-1-2007 8:46:11 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 188
ThreadCreationTime : 6-1-2007 8:46:24 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\System32\
ProcessID : 212
ThreadCreationTime : 6-1-2007 8:46:26 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 256
ThreadCreationTime : 6-1-2007 8:46:29 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 268
ThreadCreationTime : 6-1-2007 8:46:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 428
ThreadCreationTime : 6-1-2007 8:46:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 6-1-2007 8:46:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [msmpeng.exe]
FilePath : C:\Program Files\Microsoft Windows OneCare Live\Antivirus\
ProcessID : 540
ThreadCreationTime : 6-1-2007 8:46:36 PM
BasePriority : Normal
FileVersion : 1.5.1937.0
ProductVersion : 1.5.1937.0
ProductName : Microsoft Malware Protection
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 6-1-2007 8:46:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 948
ThreadCreationTime : 6-1-2007 8:47:04 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 1300
ThreadCreationTime : 6-1-2007 8:48:18 PM
BasePriority : Normal
FileVersion : 1.4.0.3
ProductVersion : 1, 4, 0, 3
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.

#:12 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1536
ThreadCreationTime : 6-1-2007 9:02:29 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@advertising[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@findwhat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 10

Deep scanning and examining files (C

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
3 entries scanned.
New critical objects:0
Objects found so far: 10

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

3:28:59 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:26:14.937
Objects scanned:221369
Objects identified:4
Objects ignored:0
New critical objects:4

SB S&D safe m ode log in next post.

Hope these are helpful to find and fix whatever issues I am having.

Arryndel

**Arryndel** · 2007-06-02, 00:26

CCleaner in normal mode

ANALYSIS COMPLETE - (2.919 secs)
------------------------------------------------------------------------------------------
1.54MB to be removed. (Approximate size)
------------------------------------------------------------------------------------------

Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
IE Temporary Internet Files (116 files) 0.68MB
C:\Documents and Settings\Default\Cookies\default@24.244.171[1].txt 309 bytes
C:\Documents and Settings\Default\Cookies\default@89.188.16[2].txt 192 bytes
C:\Documents and Settings\Default\Cookies\default@advertising[2].txt 535 bytes
C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt 102 bytes
C:\Documents and Settings\Default\Cookies\default@c.msn[1].txt 73 bytes
C:\Documents and Settings\Default\Cookies\default@cpvfeed[2].txt 419 bytes
C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt 89 bytes
C:\Documents and Settings\Default\Cookies\default@ebay[1].txt 736 bytes
C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt 154 bytes
C:\Documents and Settings\Default\Cookies\default@forums.spybot[1].txt 371 bytes
C:\Documents and Settings\Default\Cookies\default@google[1].txt 131 bytes
C:\Documents and Settings\Default\Cookies\default@h.live[1].txt 68 bytes
C:\Documents and Settings\Default\Cookies\default@hotmail.msn[1].txt 70 bytes
C:\Documents and Settings\Default\Cookies\default@live[1].txt 332 bytes
C:\Documents and Settings\Default\Cookies\default@login.live[2].txt 176 bytes
C:\Documents and Settings\Default\Cookies\default@main.ebayrtm[2].txt 387 bytes
C:\Documents and Settings\Default\Cookies\default@msn[2].txt 98 bytes
C:\Documents and Settings\Default\Cookies\default@rad.live[1].txt 702 bytes
C:\Documents and Settings\Default\Cookies\default@svxela[1].txt 228 bytes
C:\Documents and Settings\Default\Cookies\default@thestreet[1].txt 515 bytes
C:\Documents and Settings\Default\Cookies\default@www.abcsearch[1].txt 140 bytes
C:\Documents and Settings\Default\Cookies\default@www.thestreet[2].txt 101 bytes
C:\Documents and Settings\Default\Cookies\default@www31.thestreet[1].txt 100 bytes
C:\Documents and Settings\Default\Cookies\default@yahoo[2].txt 88 bytes
Marked for deletion: C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\Default\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\Default\Local Settings\History\History.IE5\index.dat
C:\WINDOWS\TEMP\dw.log 77 bytes
C:\WINDOWS\TEMP\startdrv.exe 25.00KB
C:\WINDOWS\TEMP\TMP0000001D41730ACDA95E0923 0.50MB
C:\WINDOWS\TEMP\TMP000001D8522E330BA98A6F11 0 bytes
C:\WINDOWS\TEMP\WGAErrLog.txt 255 bytes
C:\WINDOWS\TEMP\WGANotify.settings 409 bytes
C:\DOCUME~1\Default\LOCALS~1\Temp\WER2a83.dir00\sysdata.xml 0.14MB
C:\DOCUME~1\Default\LOCALS~1\Temp\WER6747.dir00\Mini060107-01.dmp 92.00KB
C:\WINDOWS\MiniDump\Mini060107-01.dmp 92.00KB
C:\WINDOWS\system32\wbem\Logs\wbemess.log 760 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 3.11KB
C:\WINDOWS\0.log 0 bytes
C:\Documents and Settings\Default\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 348 bytes
------------------------------------------------------------------------------------------

SB S&D log is much to large for one post, but it is available is needed.

**Arryndel** · 2007-06-02, 16:18

So far the files that have been found before the sites lock up on me are these:

House Call finds TROJ_RENOS.HT then locks up.

Ca finds Win32/SillyDl.CTT file ibhmuuf.exe, Win32/Chisyne.generic files cyxyawir.dll, cbxwwwt.dll, ddcaxyv.dll, and Win32/hostblock file host.200700517-233714.backup then the site locks up.

I'll continue trying to get House Call or Ca to complete a scan so that I can post the log here, untill then I'll try and keep a list of anything it finds before locking up again.

**Blade81** · 2007-06-03, 00:07

Hi and welcome to the Board

I'm Blade and I am going to try to help you with your problem. Please take a note of five things.

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt and a new
HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

**Arryndel** · 2007-06-03, 01:16

Hello Blade and thank you for your assistance. I ran Vundofix as your suggested, it had to run on reboot twice, here is the log and the new HJT log as well. Also over the past 2 days I've continued trying to run CA virus scan and can confirm the exact file that it freezes at every time. I'll post the file if you need that info.

VundoFix V6.3.9

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.7

Java version is 1.5.0.8

Scan started at 11:21:34 PM 2/24/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 4:49:34 PM 6/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\syvjcmdf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\byxyawu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\cbxwwwt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\ddcaxyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\fdmcjvys.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\syvjcmdf.dll
C:\WINDOWS\system32\syvjcmdf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 4:58:51 PM 6/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\rqrpqom.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 5:13:50 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\rqrpqom.dll (file missing)
O2 - BHO: (no name) - {6859367C-F8FD-4B23-8DBA-D8871E0142C4} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BA642176-A33C-40A7-8E67-911A2D90FC4C} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\txfjydde.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\itwkwqgd.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

**Arryndel** · 2007-06-03, 02:51

Hmm seems I've found a new issue after running VundoFix, I can no longer access TrendMicro or Ca. When I try and go to the sites I get an error acting as though I don't have internet access, I have a firewall blocking them (which I shouldn't), or I simply do not have access to those particular sites any longer. It's highly possible that VundoFix has nothing to do with this new problem since I had been having problems with any messenger service that I tried to run claiming the same thing. Let me know what you think could be the cause of this new issue when you feel we've reached the that point in the cleaning process

**Arryndel** · 2007-06-03, 03:46

Ca virus scan actually finished!! here is the scan results (couldn't see an option to save a log so I simply copy/pasted the results to a txt file. I hope you can read this mess LOL I tried to recreate the affect that is on the site to make it a bit more readable, hope it helps.

Scan Results: * 76269 files scanned. 11 viruses were detected.

File Infection Status Path

lo1[1] Win32/Vundo!generic deleted C:\Documents and settings\Default\Local Settings\Temporary Internet Files\Content.IE5 \1VCK7Q47\

byxyawu.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\

cbxwwwt.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\

ddabb.dll.bad Win32/Vundo!generic deleted C:\VundoFix Backups\

ddcaxyv.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\

geedb.dll.bad Win32/Vundo!generic deleted C:\VundoFix Backups\

rqrpqom.dll.bad Win32/Chisyne!generic deleted C:\VundoFix Backups\

syvjcmdf.dll.bad Win32/Vundo.CR deleted C:\VundoFix Backups\

ibhmiyf.exe Win32/SillyDl.CTT deleted C:\WINDOWS\

hosts.20070517-233714.backup Win32/Hostblock cured C:\WINDOWS\system32 \drivers\etc\

uzcx.exe Win32/Eipinp.V deleted C:\WINDOWS\system32 \drivers\

**Arryndel** · 2007-06-03, 05:15

Managed to get House Call to finish scanning but it hangs at deleting, here is the list of items that were found (again I can't find an option to save a log for this site):

House Call Scan on 6-2-07

ADWARE_BESTOFFERS (x1)

SPYWARE_TRAK_ESPYNOW.200 (x1)

ADWARE_BHOT_IEHELPER (x1)

ADWARE_MEDIAMOTOR (x2)

RAP_GENERIC (x2)

TSPY_SMALL (x6)

ADWARE_ALWAYSUPDATENEWS (x1)

ADWARE_SAFESURF (x1)

HTTP Cookies (x30)

Detected Vulnerabilities

MS04.043

(MS07.016) Cumulative Security Update for Internet Explorer (928090)

Done

I also wrote down the file locations for each of these if that info is needed. Since House Call seems to be having trouble deleting these items I'm assuming I'll have to go through and manually delete each one. I'll wait until I'm told to do so by you, the expert

**Blade81** · 2007-06-03, 16:29

hi

Still something to do.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\txfjydde.dll
C:\WINDOWS\system32\eddyjfxt.*
Click Add Files and Click Close Window
Repeat with these entries
C:\WINDOWS\system32\itwkwqgd.dll
C:\WINDOWS\system32\dgqwkwti.*
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.

Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\rqrpqom.dll (file missing)
O2 - BHO: (no name) - {6859367C-F8FD-4B23-8DBA-D8871E0142C4} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BA642176-A33C-40A7-8E67-911A2D90FC4C} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\txfjydde.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\itwkwqgd.dll",realset

Close browsers and other windows. Click fix checked.

==============================

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete if found:
C:\WINDOWS\system32\ltxfjydde.dll
C:\WINDOWS\system32\itwkwqgd.dll

Running temp cleaner & AVG Anti-Spyware
---------------------------------------

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Post
-contents of c:\vundofix.txt
-AVG Anti-Spyware log
-a fresh HJT log.

**Arryndel** · 2007-06-03, 19:36

VundoFix V6.3.9

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.7

Java version is 1.5.0.8

Scan started at 11:21:34 PM 2/24/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 4:49:34 PM 6/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\syvjcmdf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxyawu.dll
C:\WINDOWS\system32\byxyawu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwwwt.dll
C:\WINDOWS\system32\cbxwwwt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcaxyv.dll
C:\WINDOWS\system32\ddcaxyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fdmcjvys.ini
C:\WINDOWS\system32\fdmcjvys.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\syvjcmdf.dll
C:\WINDOWS\system32\syvjcmdf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 4:58:51 PM 6/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\rqrpqom.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrpqom.dll
C:\WINDOWS\system32\rqrpqom.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 10:52:06 PM 6/2/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 9:51:40 AM 6/3/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\itwkwqgd.dll
C:\WINDOWS\system32\itwkwqgd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\txfjydde.dll
C:\WINDOWS\system32\txfjydde.dll Has been deleted!

Performing Repairs to the registry.
Done!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:22:57 AM 6/3/2007

+ Scan result:

C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP22\A0027144.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008486.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008487.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008652.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008668.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AbsoluteHttp.dll -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8E8653F1-34CA-4473-AE37-138ED27760AD} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{BD1D0EFE-F49E-4EC8-95AC-224BC4FD2211} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP22\A0036720.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046522.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046523.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046525.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0046532.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP17\A0017484.dll -> Downloader.Agent.bhg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017561.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017570.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017566.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017558.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP7\A0008651.exe -> Downloader.PurityScan.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021564.exe -> Downloader.Small.cul : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049478.exe -> Downloader.Small.cul : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021555.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP16\A0014260.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017571.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017562.exe -> Downloader.VB.att : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017560.exe -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017568.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049477.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.aq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lzx32.sys -> Hijacker.Costrat.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017555.exe -> Hijacker.Costrat.at : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP16\A0016371.sys -> Logger.Goldun.ph : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP21\A0022492.dll -> Logger.Goldun.ph : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021552.dll -> Logger.Nukulus.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021553.dll -> Logger.Nukulus.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021563.exe -> Not-A-Virus.Hoax.Win32.Renos.fi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021560.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017556.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017557.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017559.exe -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP23\A0049530.sys -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017569.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP6\A0007225.exe -> Proxy.Dlena.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021559.dll -> Proxy.Nukulus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021554.exe -> Proxy.Xorpix.ba : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021561.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021557.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021558.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP18\A0017565.exe -> Trojan.VB.nhr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021556.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{624E3874-B906-4013-8AE8-042234375DE9}\RP20\A0021562.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vexga8me6.exe -> Worm.Zhelatin.ee : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 11:31:28 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\Briefcase of cleaners\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Ready for next step

Thread: Mutiple Issues, unable to resolve on my own.

Thread Tools

Display

Mutiple Issues, unable to resolve on my own.

CCleaner Log

Still trying to run House Call or Ca

Ran VundoFix

new issue...

Yay!!

Update from House Call..

Newest logs

Posting Permissions