Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Invincible Vundo. It's Taking Over The World


  • This topic is locked This topic is locked
12 replies to this topic

#1 willywonka

willywonka

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 July 2008 - 10:23 PM

First of all I'd like to say that I tried the tutorials first before seeking help. I know you guys are overburdened. By the way I love the help you're providing. Is there a donation link so I can help support the cause?

My problem is that this virus is superhuman. I've tried Malwarebytes, Superantispyware, SmitFraudFix, Dr.Web-Cureit, Adaware. All of them come up with Vundo and eliminate it, but the virus just reinstalls somehow like a minute later. Additionally Vundofix finds nothing, I've updated Java and that did nothing. CCleaner finds 3.14MB of something in my temporary internet files everytime I run it. And Combofix doesn't work at all. Midway through the program my computer will freeze and go to a bluescreen that says BAD_POOL_CALLER with all these codes next to it. So Combofix is not an option for me.

I've checked my hijackthis logs and for the life of me I can't find anything that would cause this. I'm beginning to think that one of the viruses was designed to distrupt Hijackthis, Vundofix and Combofix, since a driver they use I noticed I had to reinstall. Also my internet browsers seem to be infected. In fact I wasn't able to even use Yahoo or Google, they would just freeze and go nowhere, until I cleaned it with Dr. Web-Cureit. I had to use MSN.com to browse the net. The Dr. Web program found a lot of Backdoor.IRC trojans. I ran the program a second time and it found the same 10 viruses all over again. I have the saved Dr. Web logfile if you want it. Something is reinstalling each time.

What's going on is that my computer is slower, and Firefox and IE will occasionally throw pop up ads constantly such as to Fling.com, antispywareexpert, university.com, ripetv, bitefight.us, 82.12.43.70 etc... There's an adrotator in my machine somewhere and I can't find it. Yea, and I also found an icon on my desktop that looks like either IE or the Firefox internet desktop link(depends on who I login to windows as), but it is not the internet link. I think it was put there by the jerks that made this impossible virus, so that once you clear everything out you would mistakenly reinfect your computer!

Who writes this stuff?

This is the Hijackthis log after I ran Dr. WebCureit the second time.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:50 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\Ati2evxx.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS1\system32\Ati2evxx.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS1\eHome\ehRecvr.exe
C:\WINDOWS1\eHome\ehSched.exe
C:\Program Files\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
E:\oracle\ora92\bin\omtsreco.exe
E:\oracle\ora92\bin\agntsrvc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS1\system32\cmd.exe
E:\oracle\ora92\BIN\TNSLSNR.exe
E:\oracle\ora92\bin\dbsnmp.exe
e:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS1\system32\svchost.exe
E:\oracle\ora92\Apache\Apache\apache.exe
E:\oracle\ora92\jdk\bin\java.exe
E:\oracle\ora92\jdk\bin\java.exe
e:\oracle\ora92\bin\isqlplus
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS1\system32\dllhost.exe
C:\WINDOWS1\system32\wscntfy.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\ehome\ehtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS1\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS1\system32\rundll32.exe
C:\WINDOWS1\system32\Rundll32.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {097E556B-884A-4672-A927-BC160E652A6B} - C:\WINDOWS1\system32\ljJCvurP.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {826b04a6-9ff6-ea4a-86a4-80e9782baa89} - {98aab287-9e08-4a68-a4ae-6ff96a40b628} - C:\WINDOWS1\system32\cdaqcz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS1\ehome\ehtray.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [5402ee12] rundll32.exe "C:\WINDOWS1\system32\fajmhdhn.dll",b
O4 - HKLM\..\Run: [BM5731dd8e] Rundll32.exe "C:\WINDOWS1\system32\upccrqok.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.0\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_4-2-1.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1215597432000
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS1\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c8b8561e205295) (gupdate1c8b8561e205295) - Google Inc. - C:\Program Files\Google\Update\1.1.25.0\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - E:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - E:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - E:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - E:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - E:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - E:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - E:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceSTARTER - Oracle Corporation - e:\oracle\ora92\bin\ORACLE.EXE

--
End of file - 11223 bytes

Edited by willywonka, 16 July 2008 - 11:17 AM.


BC AdBot (Login to Remove)

 


#2 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 26 July 2008 - 01:37 PM

Hi there,

I checked into the BAD_POOL_CALLER bluescreen I kept getting when running Combofix. I ran Windows debugger and got this in the minidump. Apparently my ntoskrnl.exe file (whatever that is) is causing the BAD_POOL_CALLER. If I can fix it somehow then maybe I can run Combofix and clean the hard drive without anymore bluescreens of death. I checked Microsoft to see if you can just install the latest version of ntoskrnl.exe but it only said that the program had something to do with my boot .ini.

Part of the minidump was as follows:

Unable to load image \WINDOWS1\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805644a0
Debug session time: Thu Jul 24 22:34:21.812 2008 (GMT-4)
System Uptime: 0 days 0:01:20.437
*********************************************************************

#3 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 27 July 2008 - 06:02 PM

I was going through Msconfig and I think I'm onto something. I saw that the upccrqok.dll was always active during startup, even if I disabled it. Then this line:


O4 - HKLM\..\Run: [BM5731dd8e] Rundll32.exe "C:\WINDOWS1\system32\upccrqok.dll",s

keeps reappearing no matter how many times I get Hijack this to fix it. I think this is the Vundo dll. I don't know how to remove it if even hijackthis can't take it out. How can it keep installing itself?

Edited by willywonka, 27 July 2008 - 06:04 PM.


#4 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 04 August 2008 - 11:04 AM

Okay I think I've cleaned everything out save for one persistant Vundo variant. I still find 3.19MB of something when I run CCleaner and the computer is still running as if it's underwater. I keep running CWshredder and it keeps removing CWS.Msconfig, so there is some virus still in the computer that is installing it then putting cookies in my Temporary Internet Files folder. Something is reinstalling CWS.Msconfig. SuperAntiSpyware occasionally finds 1 Vundo variant remaining and cleans it but it comes back eventually. Annoying! I wish there were some way to trace where these bugs were hiding.

If only I could fix that freaking BAD_POOL_CALLER (0x00000043... etc. bluescreen that occurs when running Combofix, I could cure this thing in one session. Is there any way to run Combofix from a flash drive - I've tried it but still got the bluescreen, perhaps I was doing it wrong?

By the way this is my parent's computer and I had to deal with endless tirades about how I was too slow, that McAfee would fix it all if I would just pay for it, and on and on. I knew that Combofix could clear it in one go based on other forum topics I read. But when it failed I knew I was entering uninformed hell. I gave them my wireless laptop in the meantime but they refuse to use it and demand that they get their "office room" back. I am loathe to format the drive since there are programs on there that I lost the CD to. But if it comes to that I am ready to sacrifice them all. Goodbye Monkey Island 3.

Edited by willywonka, 04 August 2008 - 02:29 PM.


#5 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:06:40 PM

Posted 04 August 2008 - 02:28 PM

willywonka,

We apologize for the delay. As you can see, the helpers here have been quite busy.

Do you still need assistance? If so, please post back with a fresh HijackThis log. A lot can happen in a few days so we need to see what the latest log shows.

Thanks,

markamus
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#6 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 07 August 2008 - 09:36 PM

Okay. Thanks. Here's the latest.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:25, on 2008-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\Ati2evxx.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS1\system32\Ati2evxx.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS1\eHome\ehRecvr.exe
C:\WINDOWS1\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS1\Explorer.EXE
E:\oracle\ora92\bin\omtsreco.exe
E:\oracle\ora92\bin\agntsrvc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS1\system32\cmd.exe
E:\oracle\ora92\BIN\TNSLSNR.exe
E:\oracle\ora92\bin\dbsnmp.exe
e:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS1\system32\svchost.exe
E:\oracle\ora92\Apache\Apache\apache.exe
E:\oracle\ora92\jdk\bin\java.exe
E:\oracle\ora92\jdk\bin\java.exe
e:\oracle\ora92\bin\isqlplus
C:\WINDOWS1\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS1\system32\dllhost.exe
C:\WINDOWS1\system32\wscntfy.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\WINDOWS1\system32\wuauclt.exe
C:\WINDOWS1\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS1\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_4-2-1.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1215597432000
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS1\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c8b8561e205295) (gupdate1c8b8561e205295) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - E:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - E:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - E:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - E:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - E:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - E:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - E:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceSTARTER - Oracle Corporation - e:\oracle\ora92\bin\ORACLE.EXE

--
End of file - 10002 bytes

#7 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:06:40 PM

Posted 07 August 2008 - 10:31 PM

Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#8 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 09 August 2008 - 12:02 PM

Done! Found 16 items.

Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 2

12:59:35 2008-08-09
mbam-log-8-9-2008 (12-59-35).txt

Scan type: Quick Scan
Objects scanned: 79179
Time elapsed: 33 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS1\system32\ecfkxoae.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\elkkpi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\uqohjnwn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\auwytkjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\xsudum.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\atlxsogc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\system32\eqijef.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Craig\Desktop\All Sony Products Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS1\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\BM5731dd8e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS1\BM5731dd8e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#9 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:06:40 PM

Posted 10 August 2008 - 10:39 AM

Very good.

Please download a free version of CCleaner from here.


To install:
  • Select a language.
  • Click Next.
  • Click I Agree.
  • Select your Destination Folder and click Next. The default is set to C:\Program Files\CCleaner. This is OK to use, unless you would prefer it installed to another permanent folder.
  • Choose your Install Options.
  • Click Install.
  • Click Finish when prompted.

To run:
  • Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Then select the items you wish to clean up. (See note below)
In the Windows Tab:
  • Clean all entries in the "Internet Explorer". If you prefer to keep your cookies, uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
  • Then click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.
----------------------------------------------------------------------------------------------

Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

In your next reply, please include the following:
  • The Kaspersky Online scan results
  • A fresh HijackThis log
  • An update on how the PC is running.
Thanks,

markamus
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#10 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 16 August 2008 - 01:39 PM

Ok. doing it now

#11 willywonka

willywonka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 17 August 2008 - 08:54 PM

The Kaspersky Online scan takes forever and I keep getting Blue screens of Death forcing me to turn the computer off then start the scan from scratch. I know I have something because when I type there seems to be a one... second... delay... like something is hording the virtual memory. Also as I've said the speakers pop in and out, and when I attempt to use sound recorder to record my voice it comes out sounding like a record skipping as if the memory flow wasn't consistent.

#12 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:06:40 PM

Posted 19 August 2008 - 09:36 AM

Click Start
Right click My Computer
Select Manage
Click the + next to Event Viewer in the left hand pane to expand its contents
Check through the Application and System events shown
Look for Errors and Warnings, and please report back with as much detail about any recent ones you can.
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#13 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:06:40 PM

Posted 16 January 2009 - 10:29 AM

Due to no response, this topic is now closed. Should you need it re-opened, please contact me or another moderator and we will take care of it. For any other issues, please start a new thread.
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users