Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


S.O.S Please Help. Computer Infected Badly

  • This topic is locked This topic is locked
10 replies to this topic

#1 virtuoso140


  • Members
  • 5 posts
  • Local time:07:29 AM

Posted 11 January 2009 - 10:31 PM

My computer is running slow to the point when it can't keep up with my keystrokes. It have two pop up that happen every time you click on a new link or change to a new web page. I will give the partial address that appears on the pop ups. 1#-, #2-http://sagipsul.com. Both have too many numbers and symbols after the initial address I have given. Also, the computer will freeze up immediately after I click on my login icon for windows. I will get the hour glass symbol forever and it won't allow me to do anything. Finally, I get a rundll32.exe application error every other time the computer runs. Thank you for your time and help.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Jason at 22:07:20.59 on Sun 01/11/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.505 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
mSearchAssistant = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD98ptiQjWyupQ0n+m3uztk0t8ZV0tpr09AjIgc1H5SL8HpROG2YzKJ1W0xDhodvdZNME+zzjowM4PUwHGO1nXDZwpQoqev37CD4pYkmtbWZ7aJTXoKh9l7cNG0pvDSeUgt7wS+s9PR0OA3BUSpUy50vXliBflzUaj
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {58504dee-1de0-079a-ae34-d8a239f00b52}: {25b00f93-2a8d-43ea-a970-0ed1eed40585} - c:\windows\system32\ljigfv.dll
BHO: {5e7a77a3-a71e-4098-8e60-7658aa1ae164} - c:\windows\system32\awtrPIyY.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\efcDUnMD.dll
TB: {9FB3908C-6565-4CB0-95F8-E9F85258723C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [Vyidoforeqono] rundll32.exe "c:\windows\Xwivit.dll",e
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Rgamumuhifopawu] rundll32.exe "c:\windows\ojababam.dll",e
mRun: [487b326f] rundll32.exe "c:\windows\system32\ktpglfcf.dll",b
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm025YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: efcDUnMD - efcDUnMD.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ,avgrsstx.dll ljigfv.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\efcDUnMD.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtrPIyY

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\f6sclbmz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {583BBC6C-B9FC-4796-BF5B-E0D480120298} - c:\documents and settings\jason\local settings\application data\{583BBC6C-B9FC-4796-BF5B-E0D480120298}
FF - HiddenExtension: XUL Cache: {FA875F51-255D-45B8-BE08-12FDD316BE10} - c:\windows\system32\config\systemprofile\local settings\application data\{fa875f51-255d-45b8-be08-12fdd316be10}\

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-31 12424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-31 26184]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-31 22528]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-31 902424]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-31 282904]
R4 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2008-12-31 930584]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-31 75272]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-25 24652]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-31 22528]

=============== Created Last 30 ================

2009-01-11 17:08 1,256,329 ---sh--- c:\windows\system32\fcflgptk.ini
2009-01-11 17:08 80,896 a------- c:\windows\system32\ktpglfcf.dll
2009-01-11 17:07 123,392 a------- c:\windows\system32\ljigfv.dll
2009-01-11 17:07 123,392 a------- c:\windows\system32\cqgmuwhg.dll
2009-01-09 23:09 <DIR> --d----- c:\program files\Trend Micro
2009-01-09 21:19 1,248,432 ---sh--- c:\windows\system32\auufcwvh.ini
2009-01-09 21:19 90,624 a------- c:\windows\system32\hvwcfuua.dll
2009-01-09 21:12 133,120 a------- c:\windows\system32\hzgisa.dll
2009-01-09 21:12 133,120 a------- c:\windows\system32\lmrsecgv.dll
2009-01-08 22:04 <DIR> --d----- c:\documents and settings\jason\WINDOWS
2009-01-08 19:20 1,326,815 ---sh--- c:\windows\system32\iwlrlmun.ini
2009-01-08 19:17 139,264 a------- c:\windows\system32\qxfkpz.dll
2009-01-08 19:17 139,264 a------- c:\windows\system32\gecpwrof.dll
2009-01-08 13:33 1,326,815 ---sh--- c:\windows\system32\bwitulbu.ini
2009-01-08 13:30 139,264 a------- c:\windows\system32\dxntgr.dll
2009-01-08 13:30 139,264 a------- c:\windows\system32\etscclqf.dll
2009-01-07 13:38 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 13:26 1,326,815 ---sh--- c:\windows\system32\ospkdugj.ini
2009-01-07 12:55 0 a------- c:\windows\system32\mcrh.tmp
2009-01-06 13:20 1,322,957 ---sh--- c:\windows\system32\qwfasumx.ini
2009-01-05 00:54 1,307,356 ---sh--- c:\windows\system32\rmnfqauj.ini
2009-01-03 16:15 1,307,356 ---sh--- c:\windows\system32\gbhhxuor.ini
2009-01-02 16:13 134,144 a------- c:\windows\ojababam.dll
2009-01-02 16:10 1,307,356 ---sh--- c:\windows\system32\nwcixfuw.ini
2009-01-01 22:01 1,307,356 ---sh--- c:\windows\system32\hnjeopdl.ini
2008-12-31 16:20 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 16:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-31 15:48 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-31 15:18 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-31 15:18 75,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-31 15:18 12,424 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-31 15:18 96,520 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 15:18 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-31 15:16 45,568 a------- c:\windows\system32\avgfwdx.dll
2008-12-31 15:16 22,528 a------- c:\windows\system32\drivers\avgfwdx.sys
2008-12-31 15:16 <DIR> --d----- c:\program files\AVG
2008-12-31 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-31 01:09 <DIR> --d----- c:\program files\Rapid Antivirus
2008-12-31 00:47 40,448 a------- c:\windows\Xwivit.dll
2008-12-31 00:43 126,976 a------- c:\windows\system32\bxfhzm.dll
2008-12-31 00:43 126,976 a------- c:\windows\system32\bthbppbw.dll
2008-12-31 00:38 1,307,356 ---sh--- c:\windows\system32\vomjnmsk.ini
2008-12-31 00:37 657,627 a--sh--- c:\windows\system32\YyIPrtwa.ini2
2008-12-31 00:37 657,627 a--sh--- c:\windows\system32\YyIPrtwa.ini
2008-12-31 00:37 290,304 a------- c:\windows\system32\awtrPIyY.dll
2008-12-30 23:38 50,176 a------- c:\windows\system32\efcDUnMD.dll
2008-12-27 21:29 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-27 21:29 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-27 21:29 <DIR> --d----- c:\program files\iPod
2008-12-27 21:29 <DIR> --d----- c:\program files\iTunes
2008-12-27 21:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 21:27 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-23 11:25 88,183 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-15 20:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-15 20:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 20:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-04-19 23:19 88 ---shr-- c:\windows\system32\2E9F754776.sys
2008-08-27 15:28 56 ---shr-- c:\windows\system32\7647759F2E.sys
2008-08-27 15:28 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:09:39.98 ===============

Attached Files

BC AdBot (Login to Remove)


#2 jpshortstuff


    WhatTheTech Teacher

  • Members
  • 660 posts
  • Gender:Male
  • Location:UK
  • Local time:01:29 PM

Posted 12 January 2009 - 06:12 AM

Hi, and Welcome to BleepingComputer :thumbsup:

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through the instructions before starting to follow them to amek sure you understand everything you have to do.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
Please download GooredFix and save it to your Desktop. Double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

We need to disable one or more of your security programs so that they do not interfere with ComboFix.

Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I'll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
  • ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:02:29 PM

Posted 12 January 2009 - 06:16 AM

<<< instructions deleted >>>

Edited by miekiemoes, 12 January 2009 - 06:16 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 virtuoso140

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:29 AM

Posted 14 January 2009 - 04:50 PM

Thanks for your Help!

Here are the logs,they are all attachments. If you need me to I can copy paste them in this text box. What kind of security software would you recommend for future use?

Attached Files

#5 jpshortstuff


    WhatTheTech Teacher

  • Members
  • 660 posts
  • Gender:Male
  • Location:UK
  • Local time:01:29 PM

Posted 14 January 2009 - 05:03 PM

Hi :thumbsup:

Here are the logs,they are all attachments. If you need me to I can copy paste them in this text box. What kind of security software would you recommend for future use?

We'll get to this later.

Please disable AVG as before.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:


c:\documents and settings\Jason\WINDOWS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log
I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Also, please give a detailed description of how your computer is running and behaving at the moment, listing any remaining problems.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#6 virtuoso140

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:29 AM

Posted 15 January 2009 - 09:23 PM


Here are the new logs and reports.

Thursday, January 15, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Thursday, January 15, 2009 22:00:33
Records in database: 1627634

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:

Scan statistics:
Files scanned: 57414
Threat name: 14
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 01:05:42

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\awtrPIyY.dll.vir Infected: Trojan.Win32.Monder.agin 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\axssmaoi.dll.vir Infected: Trojan.Win32.Monder.anir 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bthbppbw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bxfhzm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cqgmuwhg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gbe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekarbduduyi.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dxntgr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcDUnMD.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\etscclqf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir Infected: Trojan-Downloader.Win32.Murlo.vn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gecpwrof.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hvwcfuua.dll.vir Infected: Trojan.Win32.Monder.alfs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hzgisa.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljigfv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gbe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmrsecgv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qxfkpz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwisgjbi.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekanvdpucbl.dll.vir Infected: Trojan.Win32.Agent.aykk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekatepppwhx.dll.vir Infected: Trojan.Win32.Small.brl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yqzykb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1
C:\Qoobox\Quarantine\C\WINDOWS\Xwivit.dll.vir Infected: Trojan-Downloader.Win32.Agent.azcz 1

The selected area was scanned.

The computer has been running at it's previous performance level with no new issues.. Once it is clear I am most concerned with ensuring that it will be more secure in the future.

Attached Files

#7 jpshortstuff


    WhatTheTech Teacher

  • Members
  • 660 posts
  • Gender:Male
  • Location:UK
  • Local time:01:29 PM

Posted 16 January 2009 - 02:14 AM

Hi :thumbsup:

Nearly there now.

Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
R3 - URLSearchHook: (no name) - - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)

Close all browsers and windows except for HijackThis and click Fix Checked.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop.
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586.exe to install the newest version.
Please post a new HijackThis log in your next reply.

If your computer has no more problems, we can begin cleanup and I will advise you on keeping your system clean.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#8 virtuoso140

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:29 AM

Posted 17 January 2009 - 04:28 PM

The computer is running well. Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:00 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm025YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

End of file - 7300 bytes

#9 jpshortstuff


    WhatTheTech Teacher

  • Members
  • 660 posts
  • Gender:Male
  • Location:UK
  • Local time:01:29 PM

Posted 19 January 2009 - 08:37 AM

Hi virtuoso140

Log looks good :thumbsup:

Click Start >> Run, and then type "%userprofile%\Desktop\GooredFix.exe" /uninstall and hit enter.
Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.

Now that your system appears to be clean, theres just a few steps I'd like you to take to prevent any future infections.
  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • Use Mozilla Firefox or Opera as your internet browser.
    These are more secure than Internet Explorer and can be downloaded for free from here:
    Download Mozilla FireFox
    Download Opera
    Alternatively, update Internet Explorer to version 7.

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:

    Download Spybot Search and Destroy 1.5 from here
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.

    SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
    Freely available: Download SpywareBlaster

    Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.
Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#10 virtuoso140

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:29 AM

Posted 19 January 2009 - 03:53 PM


Thanks again for your help, I will use your suggestions and hopefully stay out of trouble. You and the site have been a great help. Keep it up.

#11 jpshortstuff


    WhatTheTech Teacher

  • Members
  • 660 posts
  • Gender:Male
  • Location:UK
  • Local time:01:29 PM

Posted 19 January 2009 - 05:44 PM

Glad I could help you, hope you stay clean :thumbsup:

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users