Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Generic 10 Infection Virtumonde Vundo


  • This topic is locked This topic is locked
15 replies to this topic

#1 bigdoll

bigdoll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 04 May 2008 - 04:23 PM

Hi,

hope someone can help.

internet was slow, kept getting browser hijacks to buy some virus remover, some fake virus scanner kept popping up when not on internet asking me to buy some virus scanner, fake applications kept coming up on start up.

Ran avg, spybot, vcleaner, vundofix & all said they had deleted virus, but it keeps coming back after restart.

some of the virus names we got from AVG & spybot were:

Trojan Horse Generic 10,
virtumonde,
virtumonde.dll
vundo.n
virus found LOP

Once the Virus constantly tried to make registry changes every second (according to continuous pop ups from comodo firewall), until i re-delete virus with scanners.

Also, AVG keeps popping up with threats that we heal.

One of the threats was; 'BHO.DPP'.

I have ran 'dss' & 'hijack this' as per your sites advice & am now posting 1 of the hijack log files it created, I can't post the other one as there was no copy & paste function in the window to allow me to do this (it's a window integrated into the software & not a text file).....also, I couldn't run Kaspersky without administration password:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:50 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\vwgfawwd.dll (file missing)
O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\gebcdbyv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM1bd3ef1b] Rundll32.exe "C:\WINDOWS\system32\pvfwvhym.dll",s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: gebcdbyv - C:\WINDOWS\SYSTEM32\gebcdbyv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 7288 bytes


is this enough info or will you need the other log? how would I copy & paste it?

Cheers for any help in advance,
BD.

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 05 May 2008 - 02:15 AM

Hello Bigdoll and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 May 2008 - 06:29 AM

Hello,

thanks for your swift reply.

Okay here is the log file for Malawarebytes' Anti-Malware (below is the hijackthis logfile):

Malwarebytes' Anti-Malware 1.11
Database version: 717

Scan type: Quick Scan
Objects scanned: 32262
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\gebcdbyv.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6dc2d282-d414-435e-8a26-ff3c23ac36ef} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6dc2d282-d414-435e-8a26-ff3c23ac36ef} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebcdbyv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6dc2d282-d414-435e-8a26-ff3c23ac36ef} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1bd3ef1b (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\gebcdbyv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



********************************************************************************

Downloaded Combofix & dragged Windows Recovery into it, it seemed to install this & rebooted, but am not able to run Combofix.
I re-ran hijackthis & here is one of the 2 log files it produces (the other i'm not able to copy & paste):


********************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Software\screenprint\ScreenPrint32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ScreenPrint32] C:\Software\screenprint\ScreenPrint32.exe -startup
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 7373 bytes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 05 May 2008 - 06:39 AM

Hello Bigdoll,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please disable COMODO Firewall and anything that may interfere with running ComboFix,
and try once more. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 May 2008 - 12:08 PM

Hello Thunder,

& thanks again for another speedy response ;)

We tried what you said (stopping tea timer & comodo) to run ComboFix & this time as we tried to run it ComboFix said;

"Some files could not be Created.

You need to have Administrative Priveleges to run ComboFix"

You see - although we bought the PC (off some guy on ebay) without the OS installed (& installed XP ourselves), the PC still came with an Administrator account, which is a bit annoying.

I managed to make my account an administrator account in user accounts & rebooted & tried it again but it still said the same thing.

:thumbsup:

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 06 May 2008 - 04:18 PM

No problem Bigdoll,

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • choose the second option Extended - ptotect your ....
    • Scan Options:select Scan Archives and Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
    Posted Image
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report. Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply along with a new HijackThis log.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 May 2008 - 09:44 AM

Hello again Thunder,

I ran Hijack this & tried to delete those entries, but they seemed to be still there when I re-ran the program.

I couldn't get online with Internet Explorer to do the Kaspersky scan as IE has mysteriously stopped working, it can't get a connection, whilst firefox can.

I tried to do the scan with firefox & couldn't, I tried to download IE 7 from microsoft to see if it would fix the connection problem & couldn't. For some reason the download isn't getting onto the hard drive.

I'm wondering if it may be just easier for me to totally reinstall XP.

Is there any chance that the virus could still be there if do this? Is it possible to save all my files (pics & stuff) to DVD before I do this?

I have heard that a virus can infect files saved to a DVD & then re-infect the PC when putting them back on after the re-install of the OS. Is this true?

Thanks again for your help,

;)

BD.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 10 May 2008 - 06:06 PM

Hello Bigdoll,

Did you leave Spybot's TeaTimer disabled as you ran Hijackthis ?

Can you run DSS please ?
A tutorial on it's use is available here :
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ (item 6)

Post the log in your next reply please.

I have heard that a virus can infect files saved to a DVD & then re-infect the PC when putting them back on after the re-install of the OS. Is this true?

That is correct, and that's why we aim to get rid of the malware first. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 12 May 2008 - 07:19 AM

Hello again Thunder,

thank so much for your continued help & advice.

No, Teatimer remains deactivated.

Right, with reference to the advice you gave about using Kaspersky prior to your last message; I managed to get IE to run by Switching Comodo back on, but couldn't get Kaspersky to run as it said I needed the administrator priveliges.

So I ran DSS & got the following 2 log files:

Main:

Deckard's System Scanner v20071014.68
Run by jane on 2008-05-12 13:05:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2008-05-12 12:05:27 UTC - RP103 - Deckard's System Scanner Restore Point
102: 2008-05-11 15:00:55 UTC - RP102 - System Checkpoint
101: 2008-05-10 13:24:55 UTC - RP101 - System Checkpoint
100: 2008-05-05 10:57:06 UTC - RP100 - ComboFix created restore point
99: 2008-05-04 20:21:55 UTC - RP99 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-04-14 19:31:40 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jane.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05, on 2008-05-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jane\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jane.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6040 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080510-135853-125 O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
backup-20080510-135853-209 O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
backup-20080510-135853-303 O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
backup-20080510-135853-314 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
backup-20080510-135853-392 O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)
backup-20080510-135853-488 O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
backup-20080510-140035-214 O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)
backup-20080510-140035-337 O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
backup-20080510-140035-583 O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
backup-20080510-140035-589 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
backup-20080510-140035-597 O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
backup-20080510-140035-920 O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
backup-20080512-124326-564 O2 - BHO: (no name) - {AE7476BD-AB77-47C0-9059-83001CF78A9D} - C:\WINDOWS\system32\jkkhfcyv.dll (file missing)
backup-20080512-124326-658 O2 - BHO: (no name) - {BAA3C61F-81EC-4E82-B7E8-192C3A332BE1} - C:\WINDOWS\system32\nnnkhfgf.dll (file missing)
backup-20080512-124326-784 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - (no file)
backup-20080512-124326-836 O2 - BHO: (no name) - {B9D6ABFD-FEAC-4D9A-A20A-E2319BC87DA3} - C:\WINDOWS\system32\wvuromnm.dll (file missing)
backup-20080512-124326-867 O2 - BHO: (no name) - {42AC718E-2DF2-45D1-B3C1-73DA60F61E2B} - C:\WINDOWS\system32\pmnkhhgd.dll (file missing)
backup-20080512-124326-925 O2 - BHO: (no name) - {E11C7E81-CA46-448D-95ED-88515037FB3A} - C:\WINDOWS\system32\awttsttq.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 catchme - c:\combofix\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-05 17:45:30 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-05 17:45:30 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-05 17:45:29 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-05 17:45:29 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-05 17:45:29 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-05 17:45:29 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-05 17:45:29 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-05 17:45:29 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-05 17:45:29 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-05 17:45:29 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-05 17:45:29 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-05 17:45:29 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-05 17:45:29 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-05 17:45:29 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-05 12:43:10 169 --a------ C:\Start_.cmd
2008-05-05 12:43:04 0 d-------- C:\327882R2FWJFW
2008-05-05 11:59:42 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-05 11:57:40 0 d-------- C:\cmdcons
2008-05-05 11:55:21 68096 --a------ C:\WINDOWS\zip.exe
2008-05-05 11:55:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-05 11:55:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-05 11:55:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-05 11:55:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-05 11:55:21 98816 --a------ C:\WINDOWS\sed.exe
2008-05-05 11:55:21 80412 --a------ C:\WINDOWS\grep.exe
2008-05-05 11:55:21 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 11:20:08 0 d-------- C:\Documents and Settings\jane\Application Data\Malwarebytes
2008-05-05 11:19:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 11:19:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 21:23:41 0 d-------- C:\Program Files\Trend Micro
2008-05-04 14:01:43 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-04 13:27:26 0 d-------- C:\summaries
2008-05-04 13:23:35 0 d-------- C:\Documents and Settings\jane\Application Data\Comodo
2008-05-04 13:23:33 0 d-------- C:\Program Files\COMODO
2008-04-20 17:54:47 0 d-------- C:\Program Files\Common Files\Java
2008-04-19 22:42:58 0 d-------- C:\VundoFix Backups
2008-04-19 21:37:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 20:26:40 0 dr-h----- C:\$VAULT$.AVG
2008-04-14 20:26:33 0 d-------- C:\WINDOWS\system32\bharebio05
2008-04-14 20:26:33 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-05-12 12:57:51 0 d-------- C:\Documents and Settings\jane\Application Data\Yahoo!
2008-05-12 11:57:59 0 d-------- C:\Documents and Settings\jane\Application Data\AVG7
2008-04-20 17:55:49 0 d-------- C:\Program Files\Java
2008-04-20 17:54:47 0 d-------- C:\Program Files\Common Files
2008-04-17 17:11:54 0 d-------- C:\Documents and Settings\jane\Application Data\LimeWire
2008-04-05 23:33:34 668 --a------ C:\Documents and Settings\jane\Application Data\vso_ts_preview.xml
2008-04-05 23:33:34 0 d-------- C:\Documents and Settings\jane\Application Data\Vso
2008-03-31 23:54:05 0 d-------- C:\Program Files\Super Granny 4
2008-03-31 23:48:48 0 --a------ C:\Program Files\temp01
2008-03-31 23:48:46 0 d-------- C:\Program Files\bfgclient
2008-03-25 14:34:56 0 d-------- C:\Program Files\Picasa2
2008-03-25 12:59:17 0 d-------- C:\Program Files\Google
2008-03-25 11:00:44 0 d-------- C:\Program Files\DVD Shrink
2008-03-25 01:20:09 0 d-------- C:\Documents and Settings\jane\Application Data\Azureus
2008-03-24 18:39:14 0 d-------- C:\Documents and Settings\jane\Application Data\Ahead
2008-03-12 23:17:45 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-12 23:16:41 0 d-------- C:\Program Files\Nero
2008-02-18 11:33:05 34 --a------ C:\Documents and Settings\jane\Application Data\pcouffin.log
2008-02-18 11:33:00 47360 --a------ C:\Documents and Settings\jane\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-18 11:33:00 1144 --a------ C:\Documents and Settings\jane\Application Data\pcouffin.inf
2008-02-18 11:33:00 7887 --a------ C:\Documents and Settings\jane\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-05-12 13:06:18 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
CPU 1: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 895.17 MiB / 600.85 MiB
Pagefile Memory (total/avail): 2169.64 MiB / 1944.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.72 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 111.38 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HDS721616PLA380 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: COMODO Firewall Pro v3.0 (COMODO)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Freeciv-2.1.3-gtk2\\civclient.exe"="C:\\Program Files\\Freeciv-2.1.3-gtk2\\civclient.exe:*:Enabled:civclient"
"C:\\Program Files\\Freeciv-2.1.3-gtk2\\civserver.exe"="C:\\Program Files\\Freeciv-2.1.3-gtk2\\civserver.exe:*:Enabled:civserver"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jane\Application Data
CLASSPATH=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JBROWN-A9DA49B4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jane
LOGONSERVER=\\JBROWN-A9DA49B4
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jane\LOCALS~1\Temp
TMP=C:\DOCUME~1\jane\LOCALS~1\Temp
USERDOMAIN=JBROWN-A9DA49B4
USERNAME=jane
USERPROFILE=C:\Documents and Settings\jane
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jane (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type1163 / Error
Event Submitted/Written: 05/10/2008 11:26:59 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1109 / Error
Event Submitted/Written: 05/04/2008 09:57:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module dss.exe, version 3.2.8.1, fault address 0x0004d94d.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1108 / Error
Event Submitted/Written: 05/04/2008 09:51:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011f6c.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1107 / Error
Event Submitted/Written: 05/04/2008 09:24:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f2b.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1071 / Warning
Event Submitted/Written: 04/20/2008 05:17:23 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5977 / Error
Event Submitted/Written: 05/05/2008 05:52:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5976 / Error
Event Submitted/Written: 05/05/2008 05:46:35 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Avg7Core
Avg7RsW
Avg7RsXP
cmdGuard
cmdHlp
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type5975 / Error
Event Submitted/Written: 05/05/2008 05:46:35 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type5974 / Error
Event Submitted/Written: 05/05/2008 05:46:35 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type5973 / Error
Event Submitted/Written: 05/05/2008 05:46:35 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-12 13:06:18 ------------



cheers Thunder,

;)

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 15 May 2008 - 06:43 AM

Hello Bigdoll,

No apparent active malware left anymore. :thumbsup:

Cleaning up may prove to be tricky as long as Comodo is present,
so, if possible, I'd uninstall it temporarily through Control Panel > Software.

Then make the changes I suggested, using HijackThis,
reboot your system and check if they're gone with a fresh HijackThis log.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 19 May 2008 - 08:07 AM

Hello Thunder,

thanks again for your attention on this matter :thumbsup:

yeh, it's definitely looking as if things are better, Spybot can't find anymore viruses....HOWEVER,
every now & then AVG keeps coming up with virus threats & alerts which we have to 'heal',
some of which have been identified as the Trojan Generic 10...

Is this evidence that the source of the threat is still located on the PC or could these be external
threats from being online? Could they be coming from the vulnerabilities in Java that you mentioned
as we are browsing?

Also, before I implement any of the recent steps you have so kindly suggested (ie uninstalling Comodo to
clean up) I have a concern/question; Could it be possible that by uninstalling Comodo
I may reactivate Programs, Files, Registry change attempts or Whatever that it may have blocked (with
or without my authorization) that are harmful as well as those that we wish to unlock to complete a clean
up?

The 'My Quarantined Files' vault appears empty, but there are quite a few things in the 'My Pending Files'
vault. Could I accidentally do I harm by uninstalling Comodo & effectively removing the restriction on good
& possibly even bad files? Or are we sure (from the logs) that the threats are gone?

Or doesn't this matter if I can just re-run hijack this & remove them anyway, particularly if I'm doing all of this
offline?

Also; am I okay keeping AVG installed (since it has a virus vault too)?

Sorry if I'm being a bit over-cautious here ;)

Thanks again for all your help, especially since it's been all so complicated.

:)

bigdoll.

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 19 May 2008 - 08:38 AM

Hello Bigdoll,

Yes, please keep AVG active and updated !!

Whenever it pops up a warning, make a note of the exact location where it finds a threat.
This may provide usefull additional info.

Removing Comodo should not complicate anything,
and may very well enable you to run a Kaspersky scan as well, again providing more info.
In any case, since no harmful programs can be traced anymore,
there's nothing left to be reactivated.

You can, at any given time, empty the AVG virus vault manually. :thumbsup:

Updating the JavaVM is both a cleanup and a security measure.
It plugs up a few security holes, all in the interest of making your system safer.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 25 May 2008 - 02:01 PM

Hello Thunder,

heh, tried to remove Comodo to do get rid of those entries with hijack this & ran into a few probs.

Remove programs couldn't remove it, using the 'uninstall' function with the software couldn't, I tried to
manually delete it from the programs file folder & it couldn't, it wouldn't let me reinstall or unistall it with
the original downloaded file.....SO, i went back into the program files folder, ran it from their, went into
the 'pending files' folder & removed them all to see if that was what was stopping hijack from deleting
these last bits of the virus & stopping IE running & GUESS WHAT...it was..it's finally allowed hijack this
to get rid of those last bits!!!!!!

wahey...

anyway, just tried to do the Kaspersky scan & it still says I need 'administrative rights'...

since I can't get Comodo to uninstall & haven't had any threats pop up (from avg) over the last few days,
do you think I might be safe now? Or should I try some other means of getting Comodo to uninstall?

cheers,
big doll.

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 AM

Posted 25 May 2008 - 04:57 PM

Hello Bigdoll,

I do believe your system is clear again. :thumbsup:

Removing Comodo can be a hassle,
The best way to handle this, is quite extensively described here :
http://forums.comodo.com/help_for_v3/compr...o-t17220.0.html

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 bigdoll

bigdoll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 04 June 2008 - 03:53 PM

Aw Cheers Thunder,

I'm over the mooooooooooooooooon!!!!!!!!!!!

Thank you so much for your help, you've been so patient & thorough.

Much appreciated....in fact I'm going to go and make a donation.

Thanks again....

:thumbsup: :) :thumbsup: :thumbsup:


bigdoll (Jane).

xxx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users