Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Urgent ! Popups, Ie Crasing, Automatic Updates Won't Turn On - Hijack This Log Included --- Arrrrh Need Help!


  • Please log in to reply
11 replies to this topic

#1 Aussie-with-xp-issue

Aussie-with-xp-issue

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 02 June 2008 - 07:33 AM

Hi, just wanted to see if someone can help me with my HIJACK THIS log ..im getting popups all the time on my computer - i have scanned with VUNDO FIX and VIRTUMUNDOBEGONE and nothing has changed - microsoft forum suggests i have MALWARE but can't get rid of it ... I NEED URGENT HELP _ PLEASE ... IE also keeps crashing ... problem started when Automatic updates turned off mid last week - have tried to restart in "services" but can not get it to start the error i get when trying to turn it on is [ COULD NOT START THE AUTOMATIC UPDATE SERVICE ON LOCAL COMPUTER - ERROR 1058 - THE SERVICE CANNOT BE STARTED, EITHER BECAUSE IT IS DISABLED OR BECAUSE IT HAS NO ENABLED DEVICES ASSOCIATED WITH IT ] ...i have made sure the device is enabled in sevices but still will not start - from then on i have had [ USERINIT.EXE APPLICATION ERRORS ] and [ RUNDLL32.EXE APPLICATION ERRORS ] and i have to start explorer.exe in task manager.

My virus software is NORTON 360 ...My HIJACK THIS (version 2) Log follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:53 PM, on 2/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\svchost.exe
C:\HJT\HJTInstall.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mistaspunkypants.spaces.live.com//P...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mistaspunkypants.spaces.live.com/Ph...ad/MsnPUpld.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by111fd.bay111.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00B16E8.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 5773 bytes

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 02 June 2008 - 11:57 PM

Hello Aussie-with-xp-issue and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Aussie-with-xp-issue

Aussie-with-xp-issue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 03 June 2008 - 10:11 AM

Hi, Thanks for getting back to me. The OTScanIt log as requested.

Attached Files



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 03 June 2008 - 10:43 AM

Hi Aussie-with-xp-issue. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\bm43309148.xml
%systemroot%\system32\__c0047a84.dat
%systemroot%\system32\__c007a2e6.dat
%systemroot%\system32\__c009cb4e.dat
%systemroot%\system32\__c00b16e8.dat
%systemroot%\system32\__c00bb8fe.dat
%systemroot%\system32\__c00e5c1c.dat
%systemroot%\system32\__c00f032e.dat
%systemroot%\system32\aciehbry.dll
%systemroot%\system32\aklclxce.dll
%systemroot%\system32\atpsldxs.dll
%systemroot%\system32\bisevona.dll
%systemroot%\system32\ejihypgj.dll
%systemroot%\system32\hggvpooh.dll
%systemroot%\system32\hoopvggh.ini
%systemroot%\system32\hoopvggh.ini2
%systemroot%\system32\ipspovok.dll
%systemroot%\system32\jagepeyu.dll
%systemroot%\system32\kovopspi.ini
%systemroot%\system32\kufudimi
%systemroot%\system32\mgulnqug.dll
%systemroot%\system32\mppqrxyb.ini2
%systemroot%\system32\pujiyiho.dll
%systemroot%\system32\rsetgoau.dll
%systemroot%\system32\ssqoiyar.dll
%systemroot%\system32\yrbheica.ini
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%allusersprofile%\application data\old

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> hedekijuyu -> %SystemRoot%\system32\pujiyiho.dll [Rundll32.exe "C:\WINDOWS\system32\pujiyiho.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\__c009CB4E.dat -> %SystemRoot%\system32\__c009CB4E.dat
YY -> C:\WINDOWS\system32\bisevona.dll -> %SystemRoot%\system32\bisevona.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {7EEE5FE9-F811-4D28-B71D-DCBE51C6F0F6} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\jagepeyu.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {E6DFD82B-7C91-48C9-8993-4CF416421C94} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\hgGVpoOH.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\hgGVpoOH -> %SystemRoot%\system32\hgGVpoOH.dll
< BotCheck > -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages
YY -> C:\WINDOWS\system32\bisevona.dll -> %SystemRoot%\system32\bisevona.dll
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe -> %ProgramFiles%\MSN Messenger\msncall.exe [C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\SetupWizard.exe -> D:\SetupWizard.exe [D:\SetupWizard.exe:*:Enabled:SetupWizard]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe -> %ProgramFiles%\MSN Messenger\msncall.exe [C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%SystemDir%\winsecurityxp\mswinup.exe -> %SystemDir%\winsecurityxp\mswinup.exe:*:Enabled:Internet Explorer
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\SetupWizard.exe -> D:\SetupWizard.exe [D:\SetupWizard.exe:*:Enabled:SetupWizard]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\RED ALERT 2\game.exe -> %ProgramFiles%\RED ALERT 2\game.exe [C:\Program Files\RED ALERT 2\game.exe:*:Enabled:Main executable for Red Alert 2]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Westwood\RA2\Ra2.exe -> %SystemDrive%\Westwood\RA2\Ra2.exe [C:\Westwood\RA2\Ra2.exe:*:Enabled:Red Alert 2]
[Files/Folders - Created Within 30 days]
NY -> aciehbry.dll -> %SystemRoot%\System32\aciehbry.dll
NY -> aklclxce.dll -> %SystemRoot%\System32\aklclxce.dll
NY -> atpsldxs.dll -> %SystemRoot%\System32\atpsldxs.dll
NY -> ejihypgj.dll -> %SystemRoot%\System32\ejihypgj.dll
NY -> hgGVpoOH.dll -> %SystemRoot%\System32\hgGVpoOH.dll
NY -> HOopVGgh.ini -> %SystemRoot%\System32\HOopVGgh.ini
NY -> HOopVGgh.ini2 -> %SystemRoot%\System32\HOopVGgh.ini2
NY -> ipspovok.dll -> %SystemRoot%\System32\ipspovok.dll
NY -> kovopspi.ini -> %SystemRoot%\System32\kovopspi.ini
NY -> kufudimi -> %SystemRoot%\System32\kufudimi
NY -> mgulnqug.dll -> %SystemRoot%\System32\mgulnqug.dll
NY -> mppqrXyb.ini2 -> %SystemRoot%\System32\mppqrXyb.ini2
NY -> rsetgoau.dll -> %SystemRoot%\System32\rsetgoau.dll
NY -> ssqOIyAR.dll -> %SystemRoot%\System32\ssqOIyAR.dll
NY -> yrbheica.ini -> %SystemRoot%\System32\yrbheica.ini
NY -> __c0047A84.dat -> %SystemRoot%\System32\__c0047A84.dat
NY -> __c007A2E6.dat -> %SystemRoot%\System32\__c007A2E6.dat
NY -> __c009CB4E.dat -> %SystemRoot%\System32\__c009CB4E.dat
NY -> __c00B16E8.dat -> %SystemRoot%\System32\__c00B16E8.dat
NY -> __c00BB8FE.dat -> %SystemRoot%\System32\__c00BB8FE.dat
NY -> __c00E5C1C.dat -> %SystemRoot%\System32\__c00E5C1C.dat
NY -> __c00F032E.dat -> %SystemRoot%\System32\__c00F032E.dat
NY -> BM43309148.xml -> %SystemRoot%\BM43309148.xml
[Files/Folders - Modified Within 30 days]
NY -> aciehbry.dll -> %SystemRoot%\System32\aciehbry.dll
NY -> aklclxce.dll -> %SystemRoot%\System32\aklclxce.dll
NY -> atpsldxs.dll -> %SystemRoot%\System32\atpsldxs.dll
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> ejihypgj.dll -> %SystemRoot%\System32\ejihypgj.dll
NY -> hgGVpoOH.dll -> %SystemRoot%\System32\hgGVpoOH.dll
NY -> HOopVGgh.ini -> %SystemRoot%\System32\HOopVGgh.ini
NY -> HOopVGgh.ini2 -> %SystemRoot%\System32\HOopVGgh.ini2
NY -> ipspovok.dll -> %SystemRoot%\System32\ipspovok.dll
NY -> kovopspi.ini -> %SystemRoot%\System32\kovopspi.ini
NY -> kufudimi -> %SystemRoot%\System32\kufudimi
NY -> mgulnqug.dll -> %SystemRoot%\System32\mgulnqug.dll
NY -> mppqrXyb.ini2 -> %SystemRoot%\System32\mppqrXyb.ini2
NY -> rsetgoau.dll -> %SystemRoot%\System32\rsetgoau.dll
NY -> ssqOIyAR.dll -> %SystemRoot%\System32\ssqOIyAR.dll
NY -> yrbheica.ini -> %SystemRoot%\System32\yrbheica.ini
NY -> __c0047A84.dat -> %SystemRoot%\System32\__c0047A84.dat
NY -> __c007A2E6.dat -> %SystemRoot%\System32\__c007A2E6.dat
NY -> __c009CB4E.dat -> %SystemRoot%\System32\__c009CB4E.dat
NY -> __c00B16E8.dat -> %SystemRoot%\System32\__c00B16E8.dat
NY -> __c00BB8FE.dat -> %SystemRoot%\System32\__c00BB8FE.dat
NY -> __c00E5C1C.dat -> %SystemRoot%\System32\__c00E5C1C.dat
NY -> __c00F032E.dat -> %SystemRoot%\System32\__c00F032E.dat
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BM43309148.xml -> %SystemRoot%\BM43309148.xml
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> old -> %AllUsersProfile%\Application Data\old
[Extra Files]
%SystemDir%\winsecurityxp\
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here by copy/pasting them into the reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in the reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Aussie-with-xp-issue

Aussie-with-xp-issue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 04 June 2008 - 10:35 AM

Hi OT
OK here we go... Before i started AVENGER SCAN i had an error box that said: RUNDLL Error loading C:\Windows\system32pujiyiho.dll - The specified module could not be found. , F-SECURE ONLINE SCANNER crashed IE just before it finished and couldn't get a scan result, i did notice it found 2 viruses before it crashed, Ran kaspersky instead but Kaspersky looked like it scanned better.
After all the instructions however, All popups have stoped happening when i use IE, USERINIT.EXE APPLICATION ERROR and RUNDLL32.EXE APPLICATION ERROR didn't come up on the screen on start up and when i try to access "control panel" , I was able to go into "services.msc" and start "automatic updates" and now automatic updates are turned on. :thumbsup:

_____________________________________________

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\bm43309148.xml" deleted successfully.
File "C:\WINDOWS\system32\__c0047a84.dat" deleted successfully.
File "C:\WINDOWS\system32\__c007a2e6.dat" deleted successfully.
File "C:\WINDOWS\system32\__c009cb4e.dat" deleted successfully.
File "C:\WINDOWS\system32\__c00b16e8.dat" deleted successfully.
File "C:\WINDOWS\system32\__c00bb8fe.dat" deleted successfully.
File "C:\WINDOWS\system32\__c00e5c1c.dat" deleted successfully.
File "C:\WINDOWS\system32\__c00f032e.dat" deleted successfully.
File "C:\WINDOWS\system32\aciehbry.dll" deleted successfully.
File "C:\WINDOWS\system32\aklclxce.dll" deleted successfully.
File "C:\WINDOWS\system32\atpsldxs.dll" deleted successfully.
File "C:\WINDOWS\system32\bisevona.dll" deleted successfully.
File "C:\WINDOWS\system32\ejihypgj.dll" deleted successfully.
File "C:\WINDOWS\system32\hggvpooh.dll" deleted successfully.
File "C:\WINDOWS\system32\hoopvggh.ini" deleted successfully.
File "C:\WINDOWS\system32\hoopvggh.ini2" deleted successfully.
File "C:\WINDOWS\system32\ipspovok.dll" deleted successfully.
File "C:\WINDOWS\system32\jagepeyu.dll" deleted successfully.
File "C:\WINDOWS\system32\kovopspi.ini" deleted successfully.
File "C:\WINDOWS\system32\kufudimi" deleted successfully.
File "C:\WINDOWS\system32\mgulnqug.dll" deleted successfully.
File "C:\WINDOWS\system32\mppqrxyb.ini2" deleted successfully.
File "C:\WINDOWS\system32\pujiyiho.dll" deleted successfully.
File "C:\WINDOWS\system32\rsetgoau.dll" deleted successfully.
File "C:\WINDOWS\system32\ssqoiyar.dll" deleted successfully.
File "C:\WINDOWS\system32\yrbheica.ini" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\Documents and Settings\All Users\application data\old" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

______________________________________________________________


Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hedekijuyu deleted successfully.
File C:\WINDOWS\system32\pujiyiho.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\__c009CB4E.dat deleted successfully.
File C:\WINDOWS\system32\__c009CB4E.dat not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\bisevona.dll deleted successfully.
File C:\WINDOWS\system32\bisevona.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEE5FE9-F811-4D28-B71D-DCBE51C6F0F6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EEE5FE9-F811-4D28-B71D-DCBE51C6F0F6}\ deleted successfully.
File C:\WINDOWS\system32\jagepeyu.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6DFD82B-7C91-48C9-8993-4CF416421C94}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6DFD82B-7C91-48C9-8993-4CF416421C94}\ not found.
File C:\WINDOWS\system32\hgGVpoOH.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Unable to delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\hgGVpoOH .
File C:\WINDOWS\system32\hgGVpoOH.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages:C:\WINDOWS\system32\bisevona.dll deleted successfully.
File C:\WINDOWS\system32\bisevona.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\SetupWizard.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%SystemDir%\winsecurityxp\mswinup.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\SetupWizard.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\RED ALERT 2\game.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Westwood\RA2\Ra2.exe deleted successfully.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\aciehbry.dll not found!
File C:\WINDOWS\System32\aklclxce.dll not found!
File C:\WINDOWS\System32\atpsldxs.dll not found!
File C:\WINDOWS\System32\ejihypgj.dll not found!
File C:\WINDOWS\System32\hgGVpoOH.dll not found!
File C:\WINDOWS\System32\HOopVGgh.ini not found!
File C:\WINDOWS\System32\HOopVGgh.ini2 not found!
File C:\WINDOWS\System32\ipspovok.dll not found!
File C:\WINDOWS\System32\kovopspi.ini not found!
File C:\WINDOWS\System32\kufudimi not found!
File C:\WINDOWS\System32\mgulnqug.dll not found!
File C:\WINDOWS\System32\mppqrXyb.ini2 not found!
File C:\WINDOWS\System32\rsetgoau.dll not found!
File C:\WINDOWS\System32\ssqOIyAR.dll not found!
File C:\WINDOWS\System32\yrbheica.ini not found!
File C:\WINDOWS\System32\__c0047A84.dat not found!
File C:\WINDOWS\System32\__c007A2E6.dat not found!
File C:\WINDOWS\System32\__c009CB4E.dat not found!
File C:\WINDOWS\System32\__c00B16E8.dat not found!
File C:\WINDOWS\System32\__c00BB8FE.dat not found!
File C:\WINDOWS\System32\__c00E5C1C.dat not found!
File C:\WINDOWS\System32\__c00F032E.dat not found!
File C:\WINDOWS\BM43309148.xml not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\aciehbry.dll not found!
File C:\WINDOWS\System32\aklclxce.dll not found!
File C:\WINDOWS\System32\atpsldxs.dll not found!
File C:\WINDOWS\System32\ejihypgj.dll not found!
File C:\WINDOWS\System32\hgGVpoOH.dll not found!
File C:\WINDOWS\System32\HOopVGgh.ini not found!
File C:\WINDOWS\System32\HOopVGgh.ini2 not found!
File C:\WINDOWS\System32\ipspovok.dll not found!
File C:\WINDOWS\System32\kovopspi.ini not found!
File C:\WINDOWS\System32\kufudimi not found!
File C:\WINDOWS\System32\mgulnqug.dll not found!
File C:\WINDOWS\System32\mppqrXyb.ini2 not found!
File C:\WINDOWS\System32\rsetgoau.dll not found!
File C:\WINDOWS\System32\ssqOIyAR.dll not found!
File C:\WINDOWS\System32\yrbheica.ini not found!
File C:\WINDOWS\System32\__c0047A84.dat not found!
File C:\WINDOWS\System32\__c007A2E6.dat not found!
File C:\WINDOWS\System32\__c009CB4E.dat not found!
File C:\WINDOWS\System32\__c00B16E8.dat not found!
File C:\WINDOWS\System32\__c00BB8FE.dat not found!
File C:\WINDOWS\System32\__c00E5C1C.dat not found!
File C:\WINDOWS\System32\__c00F032E.dat not found!
File C:\WINDOWS\BM43309148.xml not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\All Users\Application Data\old not found!
[Extra Files]
< %SystemDir%\winsecurityxp\ >
Invalid Environment Variable: SystemDir
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETD0DC.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6d4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.10 fix logfile created on 06042008_194715

Files moved on Reboot...
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\JETD0DC.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6d4.dat not found!


___________________________________________________________


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 05, 2008 12:44:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 828742
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78276
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:23:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.POOTY.000\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator.POOTY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Backup\bustate.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Backup\bustate.index Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{76AF62EE-0721-4992-92A2-3CE5387E8E99}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{DDAA3F5C-4F74-4A1E-9384-C5D1535212FD}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-04_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{1FDB502B-E13A-4F45-9F34-CB95E662BE31}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{1FDB502B-E13A-4F45-9F34-CB95E662BE31}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2AA887B8.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6558937E.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp(2)\3BB0A4AB.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Download programs.exe Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\perf.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\freeripmp3.exe/file27 Infected: not-a-virus:AdTool.Win32.MyWebSearch.br skipped
C:\Program Files\freeripmp3.exe Inno: infected - 1 skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\HomeNetworking.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\RegClean.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001132.dll Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001133.dll Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001134.dll Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001137.dll Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001144.dll Object is locked skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\A0001145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\System Volume Information\_restore{3CD15621-C7C1-4789-B47A-1BF99C4F205B}\RP0\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\daas.log Object is locked skipped
C:\WINDOWS\IE4 Error Log.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET7ED4.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

_____________________________________________________________________

Attached Files



#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 04 June 2008 - 12:10 PM

Hi Aussie-with-xp-issue. That all looks pretty good. Just one leftover straggler to take care of:

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Processes - Non-Microsoft Only]
YN -> fssm32.exe -> %UserProfile%\Local Settings\Temp\OnlineScanner\Anti-Virus\fssm32.exe
[Registry - Non-Microsoft Only]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {8F33C424-D807-41C5-A6BF-2C1E3DD0597D} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\hgGVpoOH.dll [Reg Error: Value  does not exist or could not be read.]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.

There was one entry that the log shows was unable to be removed. I want to check that to see if it is still there or is gone so let's run a short scan.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the None button on the toolbar.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Aussie-with-xp-issue

Aussie-with-xp-issue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 05 June 2008 - 08:33 AM

Hi OT
Here is the scan :thumbsup:

Attached Files



#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 05 June 2008 - 09:59 AM

Hi Aussie-with-xp-issue. Everything looks good. Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Aussie-with-xp-issue

Aussie-with-xp-issue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 05 June 2008 - 11:40 PM

Hey OT

Ive had nothing unusual so far. Thanks heaps for doing all of this, your definately a Legend!!
...the inner workings of computers are intense. Im glad im going away camping this weekend :)

I have a couple of questions, Now that Automatic updates is back on, can i download the SERVICE PACK 3 UPDATE?

Do you have an idea where i could have gotten these viruses and did they affect any of my files like Photos, videos, documents?
and how they can get onto my system if im running NORTON 360 that is fully up to date with Virus Definitions?

Also, i have set a system restore point dated 5th June 2008 aptly named: "Fixed by OT" :thumbsup:


Donovan (Aussie-with-xp-issue)

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 06 June 2008 - 10:17 AM

Hi Aussie-with-xp-issue. Glad to hear things are running well. Most of these types of infections come from files or programs downloaded from file-sharing applications like torrents or limewire. I notice that both are installed on this machine. It doesn't matter what antivirus/antispyware defenses are installed, these infections easily bypass them and boom, the system is infected.

Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Aussie-with-xp-issue

Aussie-with-xp-issue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 15 June 2008 - 05:09 AM

Hey again OT - hope your well :thumbsup:

My computer is working very good since you helped me, i just have one tiny thing that keeps happening when ever i shut-down the computer. I get a box saying END PROGRAM - ccSvcHst and it does not close properly and i have to click end program becasue the program won't respond. Then im able to shut-down the system normally...

Do you know why this might be happening each time and how can i stop it from doing this?

Thanks - Donovan

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:33 AM

Posted 15 June 2008 - 08:54 AM

Hi Aussie-with-xp-issue. ccSvcHst is part of Symantec. It could be that the infection damaged or removed something involving that. My suggestion would be to uninstall and reinstall any Symantec products or contact Symantec themselves (but that is probably what they would tell you to do also lol).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users