Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty! Vundo Virus Cannot Be Removed...


  • This topic is locked This topic is locked
2 replies to this topic

#1 blahblah1212

blahblah1212

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 17 June 2008 - 05:54 PM

Ok, so my cousin gave me her Dell INspiron 1501 runnin Windows Xp SP3, Amd Sempron 3500+, 1.79 Ghz, 448 MB of Ram.. Had nasty Vundo virus, removed most with Spyware Doctor, although, VundoFix never picked up on it before that... I am no longer recieving the constant pop-ups, but I am constantly receiving notifications by AVG free Anti virus that vundo and its various forms are being found on the computer..nonetheless it does not succeed in removing it..I would not be surprised that if there is other crap on this machine.. Thanks in advance to all ppl who are smarter than me and can help out!

Deckard's System Scanner v20071014.68
Run by Hayel on 2008-06-17 15:39:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
49: 2008-06-17 19:39:24 UTC - RP204 - Deckard's System Scanner Restore Point
48: 2008-06-17 04:17:22 UTC - RP203 - System Checkpoint
47: 2008-06-16 01:57:53 UTC - RP202 - Software Distribution Service 3.0
46: 2008-06-14 20:37:54 UTC - RP201 - Installed ATI Catalyst Control Center
45: 2008-06-14 20:37:45 UTC - RP200 - Removed ATI Catalyst Control Center


-- First Restore Point --
1: 2008-05-28 21:28:50 UTC - RP156 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 446 MiB (512 MiB recommended).


-- HijackThis (run as Hayel.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:15 PM, on 6/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Hayel\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hayel.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&.....amp;ibd=0070119
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&.....amp;ibd=0070119
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8E7F8492-4CEC-4AEF-9B4B-E13061268F9A} - (no file)
O2 - BHO: {86e869d2-a8dd-a7a9-9c84-1e8428ff72ab} - {ba27ff82-48e1-48c9-9a7a-dd8a2d968e68} - (no file)
O2 - BHO: (no name) - {CFF575DA-4040-4B39-A990-908C065F617C} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: __c007DAEA - C:\WINDOWS\system32\__c007DAEA.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5523 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>

S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys (file missing)
S3 UsbDiag (LGE CDMA USB Serial Port) - c:\windows\system32\drivers\lgusbdiag.sys (file missing)
S3 USBModem (LGE CDMA USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>

S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>
S4 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 15:41:30 0 d-------- C:\Program Files\Trend Micro
2008-06-15 23:21:25 0 d-------- C:\Program Files\Spyware Doctor
2008-06-15 23:21:25 0 d-------- C:\Documents and Settings\Hayel\Application Data\PC Tools
2008-06-15 22:59:54 0 d-------- C:\Documents and Settings\Hayel\Application Data\WinRAR
2008-06-15 22:03:15 0 dr-h----- C:\Documents and Settings\Hayel\Recent
2008-06-14 16:08:59 33664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
2008-06-14 16:08:55 86016 --a------ C:\WINDOWS\system32\preflib.dll
2008-06-14 16:08:55 253952 --a------ C:\WINDOWS\system32\bcmwlu00.exe <Not Verified; Dell Inc.; Dell Wireless WLAN Card Uninstaller>
2008-06-14 16:08:54 69632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-06-14 16:08:53 1392640 --a------ C:\WINDOWS\system32\WLTRAY.EXE <Not Verified; Dell Inc.; Dell Wireless WLAN Card Wireless Network Tray Applet>
2008-06-14 16:08:53 1253376 --a------ C:\WINDOWS\system32\BCMWLTRY.EXE <Not Verified; Dell Inc.; Dell Wireless WLAN Card Wireless Network Controller>
2008-06-14 15:40:46 0 d-------- C:\WINDOWS\Prefetch
2008-06-14 15:25:15 0 d-------- C:\WINDOWS\system32\scripting
2008-06-14 15:25:14 0 d-------- C:\WINDOWS\l2schemas
2008-06-14 15:25:13 0 d-------- C:\WINDOWS\system32\en
2008-06-14 15:25:12 0 d-------- C:\WINDOWS\system32\bits
2008-06-14 15:20:47 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-14 15:17:21 0 d-------- C:\WINDOWS\network diagnostic
2008-06-14 15:12:17 0 d-------- C:\WINDOWS\EHome
2008-06-14 14:10:36 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-14 14:10:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-14 14:10:36 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-14 14:10:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-14 14:10:36 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-14 14:10:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-14 14:10:36 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-14 14:10:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-14 14:10:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-14 14:10:35 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-14 14:10:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-14 14:10:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-14 14:10:35 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-14 14:10:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-14 14:10:35 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-14 14:10:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-14 14:10:35 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-14 14:10:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-13 22:57:16 0 d-------- C:\VundoFix Backups
2008-06-13 22:21:45 0 d-------- C:\Program Files\Lavasoft
2008-06-13 22:21:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-13 22:21:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 00:42:11 148 --a------ C:\xcrashdump.dat
2008-06-07 23:00:50 0 d-------- C:\Program Files\TheSpyBot
2008-06-05 14:09:51 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-05 14:09:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-05 11:15:52 78623 --ahs---- C:\WINDOWS\system32\NTDfLUvw.ini2
2008-06-05 11:08:05 0 d--h----- C:\$AVG8.VAULT$
2008-06-05 10:56:19 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-05 10:55:48 0 d-------- C:\Program Files\AVG
2008-06-05 10:55:47 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-02 22:27:51 2172 --ahs---- C:\WINDOWS\system32\EhRYcfii.ini2
2008-06-02 18:42:09 25088 --a------ C:\WINDOWS\system32\__c00795E.dat
2008-06-01 23:05:02 1576 --ahs---- C:\WINDOWS\system32\NnoWFfhk.ini2
2008-05-29 17:23:41 0 d-------- C:\Program Files\LiveAntispy
2008-05-29 17:23:33 1219436 --a------ C:\Documents and Settings\Shirin Shaban\Application Data\Install.dat
2008-05-28 17:28:39 2289 --ahs---- C:\WINDOWS\system32\FfhRsBeg.ini2
2008-05-28 17:23:08 37888 --a------ C:\WINDOWS\system32\~.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-14 16:28:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-14 16:28:44 0 d-------- C:\Program Files\ATI Technologies
2008-06-14 15:25:50 0 d-------- C:\Program Files\Messenger
2008-06-14 15:25:12 0 d-------- C:\Program Files\Movie Maker
2008-06-14 15:20:26 0 d-------- C:\Program Files\Windows NT
2008-06-14 13:27:55 0 d-------- C:\Program Files\Common Files
2008-06-13 2351 0 d-------- C:\Program Files\Java
2008-06-13 22:17:15 0 d-------- C:\Program Files\Real
2008-06-08 14:04:38 0 d-------- C:\Documents and Settings\Hayel\Application Data\AdobeUM
2008-04-22 17:52:24 0 d-------- C:\Documents and Settings\Hayel\Application Data\Auslogics
2008-04-22 17:52:15 0 d-------- C:\Program Files\Auslogics


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E7F8492-4CEC-4AEF-9B4B-E13061268F9A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba27ff82-48e1-48c9-9a7a-dd8a2d968e68}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFF575DA-4040-4B39-A990-908C065F617C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/05/2008 10:55 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [11/01/2006 08:48 PM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 10:22 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/15/2008 11:23 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=0 (0x0)
"NoActiveDesktop"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007DAEA]
C:\WINDOWS\system32\__c007DAEA.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvULfDTN

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc1f8dcc]
rundll32.exe "C:\WINDOWS\system32\uclvttfw.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheSpyBot]
C:\Program Files\TheSpyBot\TheSpyBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"QBFCService"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80aafe9f-0586-11dc-9e90-0019b94d0081}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9b871a-afb9-11db-9df6-00038a000015}]
AutoRun\command- E:\Installer.exe




-- End of Deckard's System Scanner: finished at 2008-06-17 15:46:54 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 AM

Posted 19 June 2008 - 02:20 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.
  • Under the Main tab, put a check next to Select All.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Firefox browser:
    Click on Firefox at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Opera browser:
    Click on Opera at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
Step 2

Open HijackThis, perform a scan and put a check next to the following items (if present):

O2 - BHO: (no name) - {8E7F8492-4CEC-4AEF-9B4B-E13061268F9A} - (no file)
O2 - BHO: {86e869d2-a8dd-a7a9-9c84-1e8428ff72ab} - {ba27ff82-48e1-48c9-9a7a-dd8a2d968e68} - (no file)
O2 - BHO: (no name) - {CFF575DA-4040-4B39-A990-908C065F617C} - (no file)
O20 - Winlogon Notify: __c007DAEA - C:\WINDOWS\system32\__c007DAEA.dat (file missing)


Close all programs except HijackThis and click on Fix checked.

Step 3

Please download OTMoveIt2.exe by OldTimer and save it to your desktop.
  • Double click on OTMoveIt2.exe to run it.
  • Untick the option to Unregister Dll's and Ocx's.
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard.
C:\VundoFix Backups
C:\WINDOWS\system32\EhRYcfii.ini2
C:\WINDOWS\system32\__c00795E.dat
C:\WINDOWS\system32\NnoWFfhk.ini2
C:\WINDOWS\system32\FfhRsBeg.ini2
C:\WINDOWS\system32\~.exe
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers.

Step 4

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheSpyBot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File > Save As:. Save the file as "Fix.reg" (Including the quotes)

Double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.

Step 5

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Step 6

In your next reply, please post:
  • the OTMoveIt log
  • the Malwarebytes' Anti-Malware log
  • a HijackThis log

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 AM

Posted 23 June 2008 - 05:34 PM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users