ComputerForum.com ComputerForum.com  
TigerDirect
  
Go Back   Computer Forum > Computer Software > Computer Security
Unknown virus or trojan HijackThis log file Unknown virus or trojan HijackThis log file
Register FAQ Members List Calendar Mark Forums Read

Reply
Page 1 of 3 1 23 >
 
LinkBack Thread Tools Display Modes
Old 11-24-2006, 05:01 PM   #1 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Exclamation Unknown virus or trojan HijackThis log file
I have an unknown virus and have no idea what to do about it heres the hijackthis log file if anyone could help i would appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 9:53:18 AM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\{6074DF77-07D9-1033-1028-050507270001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcah.dll,startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.ex e (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
A49ers2121 is offline   Reply With Quote


Old 11-24-2006, 06:37 PM   #2 (permalink)
Platinum Member
 
Join Date: Jan 2006
Posts: 567
Default
You have multiple infections so this will take several steps to remove. Please do the following.

You are running 2 Antiviruses. Pick one and remove the other. If you choose to remove 'Norton', go to the Symantec website and get their special removal tool!. Once you've done this, proceed below.

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Completely disable Trojan Hunter.

Run HijackThis and put a check by the following entries, close all open windows and browsers except HijackThis and click 'Fix Checked'

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcah.dll,startup
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll

Exit 'HJT' and reopen 'HJT' again.

Select 'Misc.Tools/Delete a File on Reboot"

Navigate to the following entries one at a time.

C:\Program Files\Common Files\{6074DF77-07D9-1033-1028-050507270001}\Update.exe
C:\WINDOWS\SYSTEM32\wingsa32.dll

Click open.Okay.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Decline the reboot until both entries have been entered. Then Click Yes/ok
Your system must reboot now.

Once back in windows, do the following.

Download SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/SmitfraudFix.zip to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post this log along with a new 'HJT' log.
edifier is offline   Reply With Quote
Old 11-25-2006, 05:41 AM   #3 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Default
Logfile of HijackThis v1.99.1
Scan saved at 10:31:53 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Common Files\{6074DF77-07D9-1033-1028-050507270001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Alex\LOCALS~1\Temp\b104.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\TW9t\command.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\Alex\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.ex e (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)








SmitFraudFix v2.124

Scan done at 22:31:24.70, Fri 11/24/2006
Run from C:\Documents and Settings\Alex\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\fmrmhc.dll FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

now it wouldnt let me delete the files: c:\Program files\6074df77-07d9-1033-1028-050507270001\update.exe and c:\windows\system32\wingsa32.dll
even after using HJT
A49ers2121 is offline   Reply With Quote
Old 11-25-2006, 05:50 AM   #4 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Default
ok nevermind i was able to get rid of those two files
A49ers2121 is offline   Reply With Quote
Old 11-25-2006, 06:20 AM   #5 (permalink)
Platinum Member
 
Join Date: Jan 2006
Posts: 567
Default
Download Ewido(AVG Antispyware) http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm You will need this later in safe mode
Make sure to update this program.

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode.

Reboot your computer in Safe Mode by doing the following.

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.


Very Important:
Make sure all security programs- Norton, Norton ScriptBlocking, Ewido, Trojan Hunter, etc are DISABLED until they are needed. They may interfere with the cleaning process.

Run SmitfraudFix

* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. Save this log.

Continuing from safemode, run Avg Antispyware and delete what it finds - make sure of the following settings.

Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Save this scan log.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use firefox also, select at top of ATF cleaner-tick Select all and run again.

Reboot into normal windows, run ATF cleaner again and post a fresh 'HJT' log along with the safemode scan logs from AVG Antispyware and SmitFraudFix.
edifier is offline   Reply With Quote


Old 11-26-2006, 04:44 AM   #6 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Default
Logfile of HijackThis v1.99.1
Scan saved at 9:39:51 PM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Alex\Desktop\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwot.dll,startup
O4 - HKLM\..\Run: [jezmesh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jezmesh.dll,zadrarc
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Etrh] "C:\WINDOWS\system32\SKS~1\services.exe" -vt yazb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.ex e (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:31:30 PM 11/25/2006

+ Scan result:



C:\Program Files\VSAdd-in\VSAdd-in.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000539.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000564.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000594.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000547.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000549.dll -> Adware.CommAd : Cleaned.
C:\Program Files\Common Files\{3074DF77-07D9-1033-1028-050507270001}\Activate.exe -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{3074DF77-07D9-1033-1028-050507270001}\Uninstall.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000124.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000125.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000126.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000184.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000185.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000186.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000505.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000506.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000191.exe -> Adware.Trymedia : Cleaned.
C:\WINDOWS\temp\win90.tmp.exe -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\temp\win25.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\temp\win3C.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\temp\win41.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\temp\win7F.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\temp\win99.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\temp\winB3.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\Documents and Settings\Mom\Local Settings\Temp\efhgbmwp.dll -> Logger.VBStat.h : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000153.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\temp\mst3B.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\temp\mst3E.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\temp\mst7E.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\temp\mst9A.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\temp\mstB2.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\System Volume Information\_restore{8D077847-2814-437C-9117-EA7A694B02FC}\RP2\A0000548.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@boostmobile.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@dillards.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@entrepreneur.122.2o 7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@readersdigest.122.2 o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@e-2dj6wjlooncjilo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@e-2dj6wjmiciajsep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@ehg-idgentertainment.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Greg\Cookies\greg@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Greg\Cookies\greg@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Alex\Cookies\alex@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Greg\Cookies\greg@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Greg\Cookies\greg@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Maddie\Cookies\maddie@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\temp\win22.tmp -> Trojan.Agent.vg : Cleaned.


::Report end



SmitFraudFix v2.124

Scan done at 21:01:02.93, Sat 11/25/2006
Run from C:\Documents and Settings\Alex\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
A49ers2121 is offline   Reply With Quote
Old 11-26-2006, 06:33 AM   #7 (permalink)
Platinum Member
 
Join Date: Jan 2006
Posts: 567
Default
Run 'HJT', select 'Misc.Tools/Delete a File on Reboot"

Navigate to - C:\WINDOWS\system32\drvwot.dll

Click open.Okay.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

Once back in windows, do the following.

Go to ADD/REMOVE Programs and uninstall the following.

Yazzle
YazzleActiveX
Purityscan
Snowballwars
Cowabanga

( or anything else with OIN in the name )

If these aren't present, run this OIN Uninstaller - http://www.outerinfo.com/OiUninstaller.exe

Reboot your computer and navigate to C/Program Files and delete any of the above folders if still present.

Then, Download VundoFix.exe - http://www.atribune.org/ccount/click.php?id=4 to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run SmitFraudFix again only using option #1. Post this log along with the contents of C:\vundofix.txt and a new HiJackThis log.
edifier is offline   Reply With Quote
Old 11-26-2006, 05:19 PM   #8 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Default
SmitFraudFix v2.124

Scan done at 10:15:44.20, Sun 11/26/2006
Run from C:\Documents and Settings\Alex\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of HijackThis v1.99.1
Scan saved at 10:16:23 AM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Alex\Desktop\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\kwugjayx.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {5A2E75EF-E324-4CFB-BA85-40D522770567} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\system32\ssqpmml.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144176182\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwot.dll,startup
O4 - HKLM\..\Run: [jezmesh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jezmesh.dll,zadrarc
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Etrh] "C:\WINDOWS\system32\SKS~1\services.exe" -vt yazb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: ssqpmml - C:\WINDOWS\SYSTEM32\ssqpmml.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.ex e (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)





VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.5

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 10:09:30 AM 11/26/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbadd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddabx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.tmp
C:\WINDOWS\system32\xbadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddabx.dll Has been deleted!

Performing Repairs to the registry.
Done!
A49ers2121 is offline   Reply With Quote
Old 11-26-2006, 08:30 PM   #9 (permalink)
Platinum Member
 
Join Date: Jan 2006
Posts: 567
Default
Before we go any farther, let's flush the restore folder by going to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'. "Reboot" your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

Next, download 'Killbox' here http://www.downloads.subratam.org/KillBox.exe to your desktop.You will need it later in safe mode.

Update AVG Antispyware.

From normal windows, open Vundofix. Right click on the white part in the box and choose 'add more files'. Copy and paste the following lines into this.

C:\WINDOWS\system32\kwugjayx.dll
C:\WINDOWS\system32\wirvufc.dll
C:\WINDOWS\SYSTEM32\ssqpmml.dll

Click Add Files and Remove Vundo and follow the same steps as before.(Save this log).

Once you have completed this, reboot into safemode.

Now this is 'Very Important' as you see one or more of your security programs prevented SmitFraudfix from working.
Disable 'ALL' security programs - AVG antispyware, Trojan Hunter and any other Spyware Programs.

To disable Norton AntiVirus Script Blocking:


Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK.

Now, completely shutdown Norton.


Run SmitfraudFix

* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.Save this log.

Navigate to the following and delete.

C:\Program Files\Network Monitor
C:\WINDOWS\system32\SKS~1
C:\WINDOWS\TW9t

If these won't delete, add them in with the entries below.

Run Killbox from safe mode. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button"
Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drvwot.dll
C:\WINDOWS\system32\jezmesh.dll
C:\WINDOWS\SYSTEM32\wingsa32.dll



Next in Killbox go to File > Paste from clipboard
"Click on the All Files button."
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot. If the computer does not reboot automatically just reboot it manually.

Reboot to safe mode once again.

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\kwugjayx.dll
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {5A2E75EF-E324-4CFB-BA85-40D522770567} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\system32\ssqpmml.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwot.dll,startup
O4 - HKLM\..\Run: [jezmesh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jezmesh.dll,zadrarc
O4 - HKCU\..\Run: [Etrh] "C:\WINDOWS\system32\SKS~1\services.exe" -vt yazb
O20 - Winlogon Notify: ssqpmml - C:\WINDOWS\SYSTEM32\ssqpmml.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)



Run AVG Antispyware again and delete what it finds. Save this log.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use firefox also, select at top of ATF cleaner-tick Select all and run again.

Reboot into normal windows, run ATF cleaner again and post a new 'HJT' log along with the Vundofix log and safemode scan logs from AVG Antispyware and SmitFraudFix.
edifier is offline   Reply With Quote
Old 11-26-2006, 09:15 PM   #10 (permalink)
New Member
 
Join Date: Nov 2006
Posts: 13
Default
norton antivirus is not letting me do anything and i want to go ahead and just remove it but it wont delete. it is partially removed but there is still the file in program files and wont let me get rid of
A49ers2121 is offline   Reply With Quote
Reply
Page 1 of 3 1 23 >

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
HJT log 34erd Computer Security 11 06-16-2006 05:12 AM
Real virus alert or just spyware 34erd Computer Security 11 04-08-2006 05:22 PM
HJT log, trojan problem? dunerider5 Computer Security 6 03-16-2006 01:58 AM
HJT log Ku-sama Computer Security 5 02-03-2006 03:16 PM
help with Logfile Pleasse thanks! homerj14 Operating Systems 2 10-03-2005 09:45 PM


All times are GMT +1. The time now is 07:36 AM.

Contact Us - Computer Forum - Sitemap - Top

Powered by: vBulletin Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.1.0 ©2007, Crawlability, Inc.
Copyright © 2002-2007 Computer Forum and Web Design Forum