Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Vundo Will Not Remove Tried Vundofix And Virtumondebegone Help!


  • This topic is locked This topic is locked
12 replies to this topic

#1 workinonit

workinonit

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 21 January 2008 - 07:58 PM

i have run vundofix, virtumondebegone, atf-cleaner, superantispyware none will remove one specific file. when i run it says cannot remove C:\Windows\System32\hgghecd.dll i have tried everything recommended but cannot stop this thing!! any help is greatly appreciated. thank you in advance. here is my hijack this log, if i did this right

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:35 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\STOPzilla!\STOPzilla.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvut.exe
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [e40f1066] rundll32.exe "C:\WINDOWS\system32\urctyufw.dll",b
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray .exe
O4 - HKCU\..\Run: [Gakt] "C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200936371823
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 4163 bytes


please direct me on how to remove this virtumonde virus or trojan or whatever i have gotten myself into. thank you very much. again i appreciate your time.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 21 January 2008 - 09:21 PM

Hello workinonit,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 workinonit

workinonit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 22 January 2008 - 02:44 PM

************************here is the combofix log



ComboFix 08-01-21.7 - Dad 2008-01-22 10:23:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.147 [GMT -6:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFixbleepingcomputer.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Dad\Application Data\WNSXS~1
C:\Documents and Settings\Dad\Application Data\WNSXS~1\W?nSxS\
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\j?vaw.exe
c:\Program Files\Cox\Applications\App\start .exe
C:\Program Files\inetget2
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awvut.dll
C:\WINDOWS\system32\eehjl.ini
C:\WINDOWS\system32\eehjl.ini2
C:\WINDOWS\system32\hgghecd.dll
C:\WINDOWS\system32\tuvwa.ini
C:\WINDOWS\system32\tuvwa.ini2

----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTNDIS


((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 10:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:38 . 2008-01-21 20:38 328,192 --a------ C:\WINDOWS\system32\awvut.exe
2008-01-21 18:05 . 2008-01-21 18:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 16:10 . 2008-01-21 17:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-21 16:09 . 2008-01-21 16:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 15:45 . 2008-01-21 15:46 2,048 --a------ C:\WINDOWS\system32\drivers\874EC876-A86D-4930-B3DE-C0A5BF5B930B.cxv
2008-01-21 12:55 . 2008-01-21 12:56 4,096 --a------ C:\WINDOWS\system32\drivers\B7129F40-BAB8-4BD3-B550-0D091369C0A7.cxv
2008-01-21 12:52 . 2008-01-21 12:56 <DIR> d-------- C:\Program Files\STOPzilla!
2008-01-21 12:52 . 2008-01-21 12:52 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-01-21 08:55 . 2008-01-21 15:43 <DIR> d-------- C:\VundoFix Backups
2008-01-20 13:36 . 2008-01-20 13:36 1,073,292 --ahs---- C:\WINDOWS\system32\eaetplem.ini
2008-01-19 17:52 . 2008-01-21 17:47 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-18 10:08 . 2008-01-18 10:08 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-18 10:04 . 2008-01-18 10:04 <DIR> d-------- C:\WINDOWS\ShellNew
2008-01-17 19:44 . 2008-01-17 19:44 <DIR> d-------- C:\Program Files\Common Files\Voyetra
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d-------- C:\WINDOWS\tbcdata
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d-------- C:\Program Files\Turtle Beach
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-16 21:53 . 2008-01-16 21:53 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 19:15 . 2008-01-16 19:15 <DIR> d-------- C:\Program Files\iPod
2008-01-16 19:15 . 2008-01-21 11:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 19:15 . 2008-01-16 19:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 19:14 . 2008-01-21 16:59 <DIR> d-------- C:\Program Files\iTunes
2008-01-16 19:14 . 2008-01-16 19:14 <DIR> d-------- C:\Program Files\Bonjour
2008-01-16 19:13 . 2008-01-21 16:59 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 19:12 . 2008-01-16 19:12 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 19:12 . 2008-01-16 19:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 19:11 . 2008-01-16 19:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-16 18:51 . 2008-01-16 18:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-16 18:48 . 2008-01-16 18:49 <DIR> d-------- C:\Program Files\Google
2008-01-16 18:47 . 2008-01-17 19:43 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-16 18:46 . 2008-01-16 18:46 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 18:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 18:41 . 2008-01-16 18:42 <DIR> d-------- C:\Program Files\LimeWire
2008-01-16 18:41 . 2008-01-18 08:47 <DIR> d-------- C:\Program Files\Java
2008-01-16 18:41 . 2008-01-16 18:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-16 17:40 . 1998-10-02 21:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-01-16 17:33 . 2008-01-16 17:33 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-16 15:33 . 2008-01-16 15:33 <DIR> d-------- C:\Program Files\Cox
2008-01-16 15:30 . 2008-01-16 15:33 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2008-01-16 15:30 . 2007-06-08 20:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-16 15:30 . 2007-06-08 20:12 106,496 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-16 15:10 . 2008-01-16 15:10 <DIR> d--h----- C:\Program Files\Uninstall Information
2008-01-16 15:06 . 2008-01-16 15:06 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-16 15:06 . 2008-01-16 15:06 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-01-16 15:04 . 2004-08-12 07:58 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-16 15:03 . 2004-08-12 07:58 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-16 15:02 . 2004-08-12 07:58 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-16 15:01 . 2008-01-16 15:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-16 15:01 . 2008-01-16 15:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 00:33 835,792 ----a-w C:\WINDOWS\system32\drivers\Css-Dvp.sys
.
<pre>
----a-w			39,792 2008-01-21 17:06:17  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w			61,440 2008-01-21 17:06:25  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w		   171,448 2008-01-21 17:06:28  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w		   267,048 2008-01-21 17:06:24  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   132,496 2008-01-21 17:06:18  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,667,584 2008-01-21 17:06:45  C:\Program Files\Messenger\msmsgs .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{860B6307-4821-4C62-9E89-52CAB385C61A}]
C:\WINDOWS\system32\urqrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF2D3883-6C2E-49F8-98FA-18D1FCB38A32}]
C:\WINDOWS\system32\tuvtq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C6B34-2242-4712-B0DD-73C54B7CA674}]
C:\WINDOWS\system32\vtusp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gakt"="C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [ ]
"e40f1066"="C:\WINDOWS\system32\urctyufw.dll" [ ]
"TraySantaCruz"="C:\WINDOWS\system32\tbctray .exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 15:41]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 15:41]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-01-15 09:54]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-01-15 09:54]
S3 vtdg46xx;vtdg46xx;D:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2000-10-24 12:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 13:32:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 13:34:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 19:34:04



******************************here is the hijacklthis new log after combofix



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:02 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {860B6307-4821-4C62-9E89-52CAB385C61A} - C:\WINDOWS\system32\urqrp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CF2D3883-6C2E-49F8-98FA-18D1FCB38A32} - C:\WINDOWS\system32\tuvtq.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FF6C6B34-2242-4712-B0DD-73C54B7CA674} - C:\WINDOWS\system32\vtusp.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [e40f1066] rundll32.exe "C:\WINDOWS\system32\urctyufw.dll",b
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray .exe
O4 - HKCU\..\Run: [Gakt] "C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe"
O4 - HKUS\S-1-5-21-790525478-706699826-1060284298-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Nat')
O4 - HKUS\S-1-5-21-790525478-706699826-1060284298-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Nat')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200936371823
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 5261 bytes


********please advise me what steps to take to get this removed from my computer thank you.
********i pray this wont take too much time and too much work for your help, thanks again.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 22 January 2008 - 03:11 PM

Hello,

I want you to print these directions out or save them to a document, then get completely offline and disable ALL your protection programs please.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
<pre>
----a-w 39,792 2008-01-21 17:06:17 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 61,440 2008-01-21 17:06:25 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 171,448 2008-01-21 17:06:28 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w 267,048 2008-01-21 17:06:24 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-21 17:06:18 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,667,584 2008-01-21 17:06:45 C:\Program Files\Messenger\msmsgs .exe
</pre>


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), please re enable all your protection programs, get back online, and post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please also let me know how it's running now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 workinonit

workinonit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 22 January 2008 - 03:33 PM

sorry if im stupid but by all proection programs would you be referring to my firewall and anti virus stuff???
again sorry.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 22 January 2008 - 03:46 PM

Nothing to be sorry about!!!! Yes, AntiVirus, Firewall, STOPzilla. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 workinonit

workinonit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 22 January 2008 - 04:17 PM

combofix log... i had to go find it so i hope this is right.

ComboFix 08-01-21.7 - Dad 2008-01-22 14:44:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT -6:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFixbleepingcomputer.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 10:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:38 . 2008-01-21 20:38 328,192 --a------ C:\WINDOWS\system32\awvut.exe
2008-01-21 18:05 . 2008-01-21 18:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 16:10 . 2008-01-21 17:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-21 16:09 . 2008-01-21 16:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 15:45 . 2008-01-21 15:46 2,048 --a------ C:\WINDOWS\system32\drivers\874EC876-A86D-4930-B3DE-C0A5BF5B930B.cxv
2008-01-21 12:55 . 2008-01-21 12:56 4,096 --a------ C:\WINDOWS\system32\drivers\B7129F40-BAB8-4BD3-B550-0D091369C0A7.cxv
2008-01-21 12:52 . 2008-01-21 12:56 <DIR> d-------- C:\Program Files\STOPzilla!
2008-01-21 12:52 . 2008-01-21 12:52 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-01-21 08:55 . 2008-01-21 15:43 <DIR> d-------- C:\VundoFix Backups
2008-01-20 13:36 . 2008-01-20 13:36 1,073,292 --ahs---- C:\WINDOWS\system32\eaetplem.ini
2008-01-19 17:52 . 2008-01-22 14:44 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-18 10:08 . 2008-01-18 10:08 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-18 10:04 . 2008-01-18 10:04 <DIR> d-------- C:\WINDOWS\ShellNew
2008-01-17 19:44 . 2008-01-17 19:44 <DIR> d-------- C:\Program Files\Common Files\Voyetra
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d-------- C:\WINDOWS\tbcdata
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d-------- C:\Program Files\Turtle Beach
2008-01-17 19:43 . 2008-01-17 19:43 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-16 21:53 . 2008-01-16 21:53 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 19:15 . 2008-01-16 19:15 <DIR> d-------- C:\Program Files\iPod
2008-01-16 19:15 . 2008-01-21 11:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 19:15 . 2008-01-16 19:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 19:14 . 2008-01-22 14:44 <DIR> d-------- C:\Program Files\iTunes
2008-01-16 19:14 . 2008-01-16 19:14 <DIR> d-------- C:\Program Files\Bonjour
2008-01-16 19:13 . 2008-01-21 16:59 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 19:12 . 2008-01-16 19:12 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 19:12 . 2008-01-16 19:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 19:11 . 2008-01-16 19:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-16 18:51 . 2008-01-16 18:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-16 18:48 . 2008-01-16 18:49 <DIR> d-------- C:\Program Files\Google
2008-01-16 18:47 . 2008-01-17 19:43 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-16 18:46 . 2008-01-16 18:46 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 18:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 18:41 . 2008-01-16 18:42 <DIR> d-------- C:\Program Files\LimeWire
2008-01-16 18:41 . 2008-01-18 08:47 <DIR> d-------- C:\Program Files\Java
2008-01-16 18:41 . 2008-01-16 18:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-16 17:40 . 1998-10-02 21:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-01-16 17:33 . 2008-01-16 17:33 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-16 15:34 . 2008-01-16 15:34 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-16 15:33 . 2008-01-16 15:33 <DIR> d-------- C:\Program Files\Cox
2008-01-16 15:30 . 2008-01-16 15:33 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2008-01-16 15:30 . 2007-06-08 20:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-16 15:30 . 2007-06-08 20:12 106,496 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-16 15:10 . 2008-01-16 15:10 <DIR> d--h----- C:\Program Files\Uninstall Information
2008-01-16 15:06 . 2008-01-16 15:06 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-16 15:06 . 2008-01-16 15:06 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-01-16 15:04 . 2004-08-12 07:58 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-16 15:03 . 2004-08-12 07:58 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-16 15:02 . 2004-08-12 07:58 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-16 15:01 . 2008-01-16 15:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-16 15:01 . 2008-01-16 15:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 00:33 835,792 ----a-w C:\WINDOWS\system32\drivers\Css-Dvp.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-22_13.33.03.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 16:21:53 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 20:42:57 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 16:21:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 20:42:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 16:21:53 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 20:42:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 16:21:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 20:42:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 16:21:53 905,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 20:42:57 540,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 20:42:57 909,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\NTUSER.DAT
+ 2008-01-22 20:42:57 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{860B6307-4821-4C62-9E89-52CAB385C61A}]
C:\WINDOWS\system32\urqrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF2D3883-6C2E-49F8-98FA-18D1FCB38A32}]
C:\WINDOWS\system32\tuvtq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C6B34-2242-4712-B0DD-73C54B7CA674}]
C:\WINDOWS\system32\vtusp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gakt"="C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [ ]
"e40f1066"="C:\WINDOWS\system32\urctyufw.dll" [ ]
"TraySantaCruz"="C:\WINDOWS\system32\tbctray .exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 15:41]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 15:41]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-01-15 09:54]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-01-15 09:54]
S3 vtdg46xx;vtdg46xx;D:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2000-10-24 12:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 14:48:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 14:49:57
ComboFix-quarantined-files.txt 2008-01-22 20:49:43
ComboFix2.txt 2008-01-22 19:34:26


hijackthislog after comboifx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:51 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {860B6307-4821-4C62-9E89-52CAB385C61A} - C:\WINDOWS\system32\urqrp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CF2D3883-6C2E-49F8-98FA-18D1FCB38A32} - C:\WINDOWS\system32\tuvtq.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FF6C6B34-2242-4712-B0DD-73C54B7CA674} - C:\WINDOWS\system32\vtusp.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [e40f1066] rundll32.exe "C:\WINDOWS\system32\urctyufw.dll",b
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray .exe
O4 - HKCU\..\Run: [Gakt] "C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200936371823
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 5106 bytes


still seems slow and my lovely cox security suite is off the bottom bar and doesnt show in my task manager, but when i click it it wont respond........ who know what i did there.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 22 January 2008 - 04:44 PM

Hello,

Yes, it should still be slow. :blink: For some reason ComboFix isn't deleting the things it should be.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {860B6307-4821-4C62-9E89-52CAB385C61A} - C:\WINDOWS\system32\urqrp.dll (file missing)
O2 - BHO: (no name) - {CF2D3883-6C2E-49F8-98FA-18D1FCB38A32} - C:\WINDOWS\system32\tuvtq.dll (file missing)
O2 - BHO: (no name) - {FF6C6B34-2242-4712-B0DD-73C54B7CA674} - C:\WINDOWS\system32\vtusp.dll (file missing)
O4 - HKLM\..\Run: [e40f1066] rundll32.exe "C:\WINDOWS\system32\urctyufw.dll",b
O4 - HKCU\..\Run: [Gakt] "C:\Program Files\Common Files\M?crosoft.NET\j?vaw.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folders/files (if they exist):

C:\WINDOWS\system32\urctyufw.dll <---this file
C:\Program Files\Common Files\M?crosoft.NET<---this folder. The "?" might look like an i, and will contain the file j?vaw.exe

Reboot your computer.

In your reply, please post a new HijackThis log and let me know how it's running. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 workinonit

workinonit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 22 January 2008 - 05:27 PM

hello again.

here is new hijack log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200936371823
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 4187 bytes

little bit faster i think. i still cannot get my cox security to kick back on for me, do i need to reinstall it? i searched and searched cannot find the files urctyufw.dll or m?crosoft.net or any files with j?vaw.exe. could i be missing them? could they be hidden some other way?

thanks teacup

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 22 January 2008 - 05:42 PM

Hello,

You're welcome. :thumbsup: They were already gone and I didn't realize it.....you did fine. :blink: Now....how did you go about turning your Cox stuff off to begin with? You simply undid what you did and now it won't work? You may have to reinstall it, just because it might be quicker and less complicated.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 workinonit

workinonit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:55 AM

Posted 22 January 2008 - 05:54 PM

the cox stuff was messed up with the virus i never did turn it off. just the firewall is all i played with. i am just going to uninstall and reinstall and get it over with. thank you so much for your help. if there is a list of preferences you might have for firewalls or antispyware or anything else i should invest please let me know. i know you guys dont tell people what to "buy" but if you would personally rather use the windows xp firewall over the cox one for instance or the apex i think it is over the cox antivirus you could just say your preference. i just would like to follow someone who obviously is way smarter at this than me. i am in awe, thank you.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 22 January 2008 - 07:53 PM

Hello,

You're most welcome. :blink:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I'll give you my prevention speech, completely intact. There is no need to pay an outrageous amount of money to keep yourself well protected. Everything I use on my system is free. :thumbsup: I use Comodo Firewall and Avast! AntiVirus.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you have any question, please let me know. Otherwise, take care!
tea

Edited by teacup61, 22 January 2008 - 07:54 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 AM

Posted 28 January 2008 - 08:12 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users