Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups And Slow Comp, Think It's Vundo


  • Please log in to reply
12 replies to this topic

#1 Ghoro

Ghoro

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 July 2007 - 09:06 PM

Hi I just got this problem yesterday, I use to have drivecleaner 2006 and other Vundo that I removed using VundoFix, Spybot and AVG. However itís better now, but I still get popups and my comp is really slow. VundoFix and AVG donít find anything any more and Spybot just keeps finding the same spywear, but they just keep coming back. So I would appreciate any help :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:36 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ReadPlease 2003\ReadPleasePlus2003.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Ghoro\Application Data\s?stem32\m?hta.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37E0BEAB-CB4E-4707-901D-6A8F01E04471} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {3CEB3A77-FA24-455B-8B5E-46A961F1E233} - C:\Program Files\NetMeeting\mevofumyt83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {65186AD0-A46D-BCBD-4914-828DBD2184BF} - C:\WINDOWS\system32\oprdeol.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9aea9add-8e42-4de9-bba5-00b134bc2f31} - C:\WINDOWS\system32\qdtgtjy.dll
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: (no name) - {9FF549A3-A7A5-4EDF-B9D4-DB924012E359} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 02 August 2007 - 12:12 PM

Ghoro

1. If you have run Vundofix please post the contents of the C:\Vundofix.txt in your reply

Thanks
Posted Image
Microsoft MVP - Windows Security

#3 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 02 August 2007 - 04:03 PM

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:22:19 AM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ytlopnei.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\efccdcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\ienpolty.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ytlopnei.ini
C:\WINDOWS\system32\ytlopnei.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:40:50 AM 6/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:21:20 AM 6/13/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:29:18 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\jdtsaour.dll
C:\WINDOWS\system32\pkqmfekw.dll
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:36:54 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:39:46 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:45:30 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:06:03 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:50:10 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:21:27 PM 7/30/2007

Listing files found while scanning....


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:08:09 PM 7/30/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:09:39 PM 7/30/2007

Listing files found while scanning....

No infected files were found.

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 05 August 2007 - 07:47 PM

Ghoro

Sorry for the delay in responding.

We are going to run Vundofix again, but alter the instructions slightly
Run VundoFixAt the Main window Rt Click in the Open Box and Select Add Files
A second window will open
Copy and paste the following into the first 2 lines
C:\WINDOWS\system32\oprdeol.dll
C:\WINDOWS\system32\loedrpo.*
C:\WINDOWS\system32\qdtgtjy.dll
C:\WINDOWS\system32\yjtgtdq.*

Select Add Files ->> Repeat untill they are all loaded Then Close Window
[*]Click the Remove Vundo button. Do not click the Scan for Vundo Button
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.
[/list]Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Microsoft MVP - Windows Security

#5 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 05 August 2007 - 08:53 PM

I got to say it seems better so far, I turned off my firewall just to test it and Iím not getting any popups.


Logfile of HijackThis v1.99.1
Scan saved at 9:48:12 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\ReadPlease 2003\ReadPleasePlus2003.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37E0BEAB-CB4E-4707-901D-6A8F01E04471} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {3CEB3A77-FA24-455B-8B5E-46A961F1E233} - C:\Program Files\NetMeeting\mevofumyt83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {65186AD0-A46D-BCBD-4914-828DBD2184BF} - C:\WINDOWS\system32\oprdeol.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9aea9add-8e42-4de9-bba5-00b134bc2f31} - C:\WINDOWS\system32\qdtgtjy.dll (file missing)
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: (no name) - {9FF549A3-A7A5-4EDF-B9D4-DB924012E359} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:22:19 AM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ytlopnei.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\efccdcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\ienpolty.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ytlopnei.ini
C:\WINDOWS\system32\ytlopnei.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:40:50 AM 6/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:21:20 AM 6/13/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:29:18 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\jdtsaour.dll
C:\WINDOWS\system32\pkqmfekw.dll
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:36:54 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:39:46 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:45:30 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:06:03 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:50:10 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:21:27 PM 7/30/2007

Listing files found while scanning....


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:08:09 PM 7/30/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:09:39 PM 7/30/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\oprdeol.dll
C:\WINDOWS\system32\oprdeol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qdtgtjy.dll
C:\WINDOWS\system32\qdtgtjy.dll Has been deleted!

Performing Repairs to the registry.
Done!

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 06 August 2007 - 04:03 PM

Ghoro

Glad to hear it.

1. Rerun Hijackthis (scan only) and place checks beside the following entriesO2 - BHO: (no name) - {37E0BEAB-CB4E-4707-901D-6A8F01E04471} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {65186AD0-A46D-BCBD-4914-828DBD2184BF} - C:\WINDOWS\system32\oprdeol.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9aea9add-8e42-4de9-bba5-00b134bc2f31} - C:\WINDOWS\system32\qdtgtjy.dll (file missing)
O2 - BHO: (no name) - {9FF549A3-A7A5-4EDF-B9D4-DB924012E359} - C:\WINDOWS\system32\vtutr.dll (file missing)

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC

2. Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. Once finished, save a log as ".txt" to the desktop.
Copy and post the results of the Kaspersky Online scan
Posted Image
Microsoft MVP - Windows Security

#7 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 07 August 2007 - 11:55 PM

If I keep my firewall up Iím fine, but if I have explore running I can still get popups even with my firewall up. I even had some random radio station playing at one time, but I couldnít see what was playing it.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 12:47:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 376960
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 168043
Number of viruses found: 21
Number of infected objects: 43
Number of suspicious objects: 12
Duration of the scan process: 04:08:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde26.zip/retadpu572.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde26.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip/v1.8.0/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.leases Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Microsoft\Word\~WRA0003.asd Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\history.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\key3.db Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ghoro\Application Data\sуstem32\mѕhta.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Documents and Settings\Ghoro\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Desktop\dad\GDiVXZen1.2.exe/data0005 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Ghoro\Desktop\dad\GDiVXZen1.2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe/WISE0044.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe/WISE0044.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe WiseSFX Dropper: infected - 3 skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Application Data\Mozilla\Firefox\Profiles\tvb01xcc.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\History\History.IE5\MSHist012007080720070808\index.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\MBDownloader_876919.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\snapsnet.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\WinAntiSpyware2007Setup.exe Inno: infected - 4 skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\yazzlesnet.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\yazzlesnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\~DF260C.tmp Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\~DFD0F.tmp Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temp\~WRS1105.tmp Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\MEB3W8TQ\count[1].htm Infected: Trojan-Downloader.JS.Inor.a skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\U42WUAAC\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\U42WUAAC\83122[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\U42WUAAC\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Ghoro\Local Settings\Temporary Internet Files\Content.IE5\U42WUAAC\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ghoro\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Ghoro\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ghoro\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ghoro\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7f4.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-08-06.20-36-08.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070729-190032-713.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\Program Files\iMesh Applications\iMesh MediaBar\MediaBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Program Files\iTunes\Plug-Ins\audioscrobbler.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_313.trc Object is locked skipped
C:\Program Files\NetMeeting\mevofumyt4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\NetMeeting\mevofumyt83122.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\efccdcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ienpolty.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\oprdeol.dll.bad Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\VundoFix Backups\qdtgtjy.dll.bad Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\VundoFix Backups\ssqoool.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ssqpo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{38D06867-642D-470E-A105-4D24BF818A0D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9437.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\G1\kmhp83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\WINDOWS\system32\G1\kmhp83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\khfebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\tuvutsp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\tuvvvww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\TISKY009.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 08 August 2007 - 04:23 PM

Ghoro

We still have some things to do.

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

2. We are going to add files once again to Vundofix
Run VundoFixAt the Main window Rt Click in the Open Box and Select Add Files
A second window will open
Copy and paste the following into the first 2 linesC:\WINDOWS\system32\khfebya.dll
C:\WINDOWS\system32\aybefhk.*
C:\WINDOWS\system32\tuvutsp.dll.vir
C:\WINDOWS\system32\pstuvut.*
C:\WINDOWS\system32\tuvvvww.dll
C:\WINDOWS\system32\wwvvvut.*

Select Add Files ->> Repeat untill they are all loaded Then Close Window
[*]Click the Remove Vundo button. Do not click the Scan for Vundo Button
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.
[/list]Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
3. Re Run HijackthisAt the Main window select "Open the misc tool section"
Then select "Open uninstall manager"
Then "save list" and save it to your desktop
Copy and paste that list as a reply to this thread

Thanks
Posted Image
Microsoft MVP - Windows Security

#9 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 08 August 2007 - 06:06 PM

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:22:19 AM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ytlopnei.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efccdcy.dll
C:\WINDOWS\system32\efccdcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ienpolty.dll
C:\WINDOWS\system32\ienpolty.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ytlopnei.ini
C:\WINDOWS\system32\ytlopnei.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\ssqoool.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:40:50 AM 6/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:21:20 AM 6/13/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:29:18 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\jdtsaour.dll
C:\WINDOWS\system32\pkqmfekw.dll
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\ssqoool.dll
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:36:54 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:39:46 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:45:30 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:06:03 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:50:10 PM 7/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:21:27 PM 7/30/2007

Listing files found while scanning....


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:08:09 PM 7/30/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:09:39 PM 7/30/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\oprdeol.dll
C:\WINDOWS\system32\oprdeol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qdtgtjy.dll
C:\WINDOWS\system32\qdtgtjy.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\khfebya.dll
C:\WINDOWS\system32\khfebya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvutsp.dll.vir
C:\WINDOWS\system32\tuvutsp.dll.vir Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvvvww.dll
C:\WINDOWS\system32\tuvvvww.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 7:02:25 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\ReadPlease 2003\ReadPleasePlus2003.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CEB3A77-FA24-455B-8B5E-46A961F1E233} - C:\Program Files\NetMeeting\mevofumyt83122.dll
O2 - BHO: (no name) - {4C6D46B1-ACAC-4BE5-A19A-23D623748D91} - C:\Program Files\NetMeeting\mevofumyt4444.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe


AC3Filter (remove only)
Acez Mp3 Wav Converter v3.0
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Alarm 2.0.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AutoHotkey 1.0.46.08
AVG 7.5
BlueJ 2.0.4
Borland JBuilder 2005 Foundation
CAAS_ParentTrial
Canon CanoScan Toolbox 4.9
Canon ScanGear Starter
Cerbere 1.3.6
Circuit City Advantage Protection Plan
Conexant AC-Link Audio
Cubis Deluxe
Data Fax SoftModem with SmartCP
Digital Space Traveler
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Region Killer
Dystopia
Earth's Special Forces
Easy Internet Sign-up
Eternal Silence Beta 2.3
FLAC Installer 1.1.2a (remove only)
Free Allegiance
Free Buttons.org
GameSpy Arcade
GDivX Zenith Player
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Video Player
Gunbound Revolution
GunZ Mouse Re-Binder 1.18
Half-Life® 2
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Help and Support
HP Software Update
HP User Guides 0001
HP Wireless Assistant 1.01 A2
Hyplay
ijji
ijji - Gunz
iMesh MediaBar
IMMonitor MSN Spy
InterActual Player
InterVideo WinDVD
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.0_02
Java 2 SDK, SE v1.4.0_02
Java™ SE Development Kit 6
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Lernout & Hauspie TruVoice American English TTS Engine
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ .NET Standard 2003 - English
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Works
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
muvee autoProducer 4.0 - SE
myTunes Redux 1.0
Natural Selection 3.2
NewzToolz v0.0.4
Painkiller Special Edition
PDF Password Remover v3.0
PeerGuardian 2.0
Pirates, Vikings and Knights II Beta 1.1
PixNewsPro
PureVoice
Quick Launch Buttons 5.10 B2
QuickTime
Rakion International
ReadPlease 2003/ReadPlease PLUS 2003
RealPlayer
Reflex
Rogue Clicker Lite
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Softnyx Launcher
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SpeechRedist
Spybot - Search & Destroy 1.4
SUPER © Version 2007.bld.21 (Jan 4, 2007)
Sygate Personal Firewall
Synaptics Pointing Device Driver
TES Construction Set
Texas Instruments PCIxx21/x515 drivers.
Unreal Tournament 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VMware Workstation
Web Buttons
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
WinPcap 3.1 beta3
WinRAR archiver
Wolfenstein - Enemy Territory
Word Mojo Deluxe
XviD 1.1 final uninstall
Zone Deluxe Games

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 09 August 2007 - 03:10 PM

Ghoro

1. Go to Add/Remove Programs (Click Start ->>Control Panel ->> Add/Remove programs)
And uninstall the following programiMesh Mediabar <<- This Article ->>
Close Add/Remove Programs

2. Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following filesC:\Documents and Settings\Ghoro\Desktop\dad\GDiVXZen1.2.exe
C:\Documents and Settings\Ghoro\Desktop\dad\iMeshV7.exe
C:\Program Files\NetMeeting\mevofumyt4444.dll
C:\Program Files\NetMeeting\mevofumyt83122.dll
C:\Program Files\TTC.dll
C:\WINDOWS\system32\G1\kmhp83122.exe
C:\WINDOWS\TTC-4444.exe

Locate and Delete the following folders
C:\Program Files\NetMeeting
C:\PROGRA~1\IMESHA~1 Should Translate C:\Program Files\IMESHA

Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#11 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 09 August 2007 - 05:10 PM

I deleted them all, but I could not find these two.
C:\Program Files\TTC.dll
C:\PROGRA~1\IMESHA~1 Should Translate C:\Program Files\IMESHA

Logfile of HijackThis v1.99.1
Scan saved at 6:06:46 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\ReadPlease 2003\ReadPleasePlus2003.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CEB3A77-FA24-455B-8B5E-46A961F1E233} - C:\Program Files\NetMeeting\mevofumyt83122.dll (file missing)
O2 - BHO: (no name) - {4C6D46B1-ACAC-4BE5-A19A-23D623748D91} - C:\Program Files\NetMeeting\mevofumyt4444.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 10 August 2007 - 09:18 AM

Ghoro

Good job

1. Rerun Hijackthis (scan only) and place checks beside the following entriesR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
O2 - BHO: (no name) - {3CEB3A77-FA24-455B-8B5E-46A961F1E233} - C:\Program Files\NetMeeting\mevofumyt83122.dll (file missing)
O2 - BHO: (no name) - {4C6D46B1-ACAC-4BE5-A19A-23D623748D91} - C:\Program Files\NetMeeting\mevofumyt4444.dll (file missing)

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot Your PC ->> Rerun hiajckthis and post a fresh Hijackthis log.

Also give me an update on how your PC is running now.
Posted Image
Microsoft MVP - Windows Security

#13 Ghoro

Ghoro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 17 August 2007 - 09:51 PM

It seems to be working fine, only thing is when I run spybot it keeps finding the same 43 things. It removes them no problem, but then when I scan again it finds them again.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:15 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users