Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 mtlin

mtlin

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 13 October 2005 - 02:56 PM

Hi,

Programs start hanging not long after I boot up. I get pop ups and my computer tries to start a dial up connection randomly (I use DSL). I ran Ad-Aware, Spy Bot Search and Destroy, and did a full virus scan. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:38 PM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\smsg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\pmnnn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\vtuts.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\System32\vtuts.dll
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe
O23 - Service: System Mng Srvc (SMSG) - Unknown owner - C:\WINDOWS\smsg.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks very much for your time and your help. I really appreciate you guys volunteering your services like this.

Best,

Martin

Edited by mtlin, 13 October 2005 - 02:57 PM.


BC AdBot (Login to Remove)

 


m

#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 17 October 2005 - 01:37 PM

Welcome Martin, among a couple of other things it looks like you have a Vundo infection. Let's get started.

Please print these instructions out for use in Safe Mode.

Please enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.
Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

System Manager Service (SMSC)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Repeat the steps above with this service:

System Mng Srvc (SMSG)


Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

SMSC

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click No.

Repeat the steps above with this service:

SMSG

Reboot your computer.

Let me know if you received any error messages.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\vtuts.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\stutv.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\pmnnn.dll
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\vtuts.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
    O20 - Winlogon Notify: vtuts - C:\WINDOWS\System32\vtuts.dll
    O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe
    O23 - Service: System Mng Srvc (SMSG) - Unknown owner - C:\WINDOWS\smsg.exe
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program.
  • Using Windows Explorer, locate the following files/folders, and delete them if still present:
    C:\WINDOWS\smsc.exe
    C:\WINDOWS\smsg.exe


    Restart your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks,
JC

#3 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 17 October 2005 - 04:53 PM

Thanks JC! I've followed your instructions. Here are my new logs:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:12 PM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnn.dll
Adware:adware/mirar No disinfected C:\WINDOWS\SYSTEM32\WinNB57.dll
Spyware:spyware/media-motor No disinfected C:\WINDOWS\mm63.ocx
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/virtumonde No disinfected Windows Registry
Virus:W32/Bagle.J.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[Message.pif]
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[AttachedFile.zip]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[your_product.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_excel.pif]
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[text_document.zip]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_word.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_4351.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[your_details.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_word.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_excel.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_word.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[your_picture.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[your_text.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[my_details.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[details03.txt .pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[your_document.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[old_photos.zip][details.txt .pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message_part2.pif]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[my_details.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[mails9.doc .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000439.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000443.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[my_details.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[websitelist01.zip][details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[website.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000471.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[document_with_notice.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000487.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[game.doc.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000493.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000497.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message.scr]
Virus:W32/Netsky.D.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[message_part2.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[website_martin.lin.pif]
Virus:W32/Bagle.pwdrar Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[Gift.rar]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0000874.~][id09509.zip][document.txt .exe]
Virus:W32/Netsky.T.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0001063.~][personal_message1.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Martin Lin\Application Data\Thunderbird\Profiles\5s0bmv6u.default\ImapMail\mailbox126.utcc.utoronto.ca\INBOX[~0001654.~][application.zip][document.txt .exe]
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\mm63.ocx
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\ddcyw.dll
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_00218.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_06730.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_06865.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_62082.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_63086.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\gebyx.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\geedc.dll
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkhfc.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkkli.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljge.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljgf.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljjg.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\mljjk.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mlljg.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mllmm.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmkhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnli.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnl.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnn.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\sstqo.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\sstts.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\vtsqr.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\vturq.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\vtutq.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\vtutr.dll
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\WinNB57.dll
Spyware:Spyware/Virtumonde No disinfected C:\ws.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\ws2.exe[is.exe]

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\vtuts.dll

The second filepath entered was C:\WINDOWS\System32\stutv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 548 'smss.exe'

Killing PID 1564 'explorer.exe'


Killing PID 628 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\vtuts.dll Deleted sucessfully.
C:\WINDOWS\System32\stutv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

I really appreciate your help!

Best,

Martin

#4 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 17 October 2005 - 07:37 PM

mtlin, it looks like we have some more work to do. We still have the Vundo infection present in your log. Don't worry, sometimes it takes a couple of attempts to get it all.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.


2. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

    At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\SYSTEM32\pmnnn.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\SYSTEM32\nnnmp.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
    The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnn.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
3. Please download the Killbox.
Unzip it to the desktop and run it.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\unstall.exe
C:\WINDOWS\mm63.ocx
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\WinNB57.dll
C:\ws.exe
C:\ws2.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart your computer.


4. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.


5. Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks,
JC

#5 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 18 October 2005 - 12:28 AM

Hi JC,

Logfile of HijackThis v1.99.1
Scan saved at 1:19:19 AM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnn.dll
Spyware:spyware/media-motor No disinfected Windows Registry
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\ddcyw.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\gebyx.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\geedc.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\jkhfc.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\jkhhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\jkkli.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljge.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljgf.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljjg.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\mljjk.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mlljg.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mllmm.dll
Spyware:Spyware/Media-motor No disinfected C:\!KillBox\mm63.ocx
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmkhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmnli.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmnnl.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\sstqo.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\sstts.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtsqr.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vturq.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtutq.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtutr.dll
Adware:Adware/Mirar No disinfected C:\!KillBox\WinNB57.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws2.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\Hijackthis\backups\backup-20051017-174725-294.dll
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnn.dll

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:WINDOWS\SYSTEM32\pmnnn.dll

The second filepath entered was C:WINDOWS\SYSTEM32\nnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'

Killing PID 740 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:WINDOWS\SYSTEM32\pmnnn.dll Deleted sucessfully.
C:WINDOWS\SYSTEM32\nnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Thanks!

mtlin

#6 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 18 October 2005 - 08:35 AM

mtlin: The scan looks a little cleaner, but the Vundo infection still exists... We have more work to do....

Please print these instructions out for use in Safe Mode.

1.
  • Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\pmnnn.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\nnnmp.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnn.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\SYSTEM32\pmnnn.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
2. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.


3. Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.


Thanks,
JC

#7 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 18 October 2005 - 03:34 PM

Hi JC:

Here are my latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:32:47 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\awvvu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76C7308-7DCB-4A0B-9F71-27C906C760CA}: NameServer = 209.226.175.223 198.235.216.134
O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Spyware:spyware/virtumonde No disinfected Windows Registry
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\ddcyw.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\gebyx.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\geedc.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\jkhfc.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\jkhhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\jkkli.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljge.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljgf.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mljjg.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\mljjk.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mlljg.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mllmm.dll
Spyware:Spyware/Media-motor No disinfected C:\!KillBox\mm63.ocx
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmkhe.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmnli.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\pmnnl.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\sstqo.dll
Adware:Adware/StartPage.AIW No disinfected C:\!KillBox\sstts.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtsqr.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vturq.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtutq.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\vtutr.dll
Adware:Adware/Mirar No disinfected C:\!KillBox\WinNB57.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws2.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\Hijackthis\backups\backup-20051017-174725-294.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\pmnnn.dll

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:WINDOWS\system32\pmnnn.dll

The second filepath entered was C:WINDOWS\system32\nnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'

Killing PID 752 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:WINDOWS\system32\pmnnn.dll Deleted sucessfully.
C:WINDOWS\system32\nnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Thanks again for your time.

Best,

mtlin

#8 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 18 October 2005 - 05:15 PM

We have more work to do, lets try this again...

Please print these instructions out for use in Safe Mode.

1. Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\awvvu.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\uvvwa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\awvvu.dll
    O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
2. Run KillBox

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\pmnnn.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart your computer.


3. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.

4. Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks,
JC

#9 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 19 October 2005 - 11:50 AM

Hi JC,

My latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:19 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\awvvu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll (file missing)
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Spyware:spyware/media-motor No disinfected Windows Registry
Spyware:Spyware/Media-motor No disinfected C:\!KillBox\mm63.ocx
Adware:Adware/Mirar No disinfected C:\!KillBox\WinNB57.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws2.exe[is.exe]

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\awvvu.dll

The second filepath entered was C:\WINDOWS\System32\uvvwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'

Killing PID 756 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\awvvu.dll Deleted sucessfully.
C:\WINDOWS\System32\uvvwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Thanks!

mtlin

#10 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 19 October 2005 - 02:28 PM

Looks better. Let's do a little more clean-up and we will see where we end up with your next log.
Let me know if you are experiencing any remaining problems.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\awvvu.dll (file missing)
O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll (file missing)


Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


2. Since you mentioned that you had already installed Ad-aware and Spybot, please update and perform a full scan with both programs. Remove any objects found.

Before the scans, make sure both programs are configured as described in the following tutorials:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Restart your computer

Please reply to this post with a new HiJackThis log.

Thanks,

Edited by Joshuacat, 19 October 2005 - 03:04 PM.

JC

#11 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 20 October 2005 - 06:34 PM

Hi JC,

My computer still exhibits a couple of behaviors that concern me. Primarily, when I restart the computer often programs in my system tray, e.g., google desktop, task manager, and the connections tray hang, and I have to tell Windows to end an unresponsive program. Second, Windows sometimes hangs when I'm shutting down when it says that it is saving my settings or logging off. Also, AVG found a ton of viruses yesterday in Killbox files.

Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:58 PM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76C7308-7DCB-4A0B-9F71-27C906C760CA}: NameServer = 209.226.175.223 198.235.216.134
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for all your help!

Best,

mtlin

#12 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 20 October 2005 - 08:12 PM

mtlin: The killbox folder contains back-ups of the files that we got removed earlier. They are there for back-up purposes and can be removed after your computer is clean. I am actually glad that AVG picked them up, shows me it is working. :thumbsup: Did you used to have Norton AntiVirus on your computer? A remnant of it shows in your log. I am not actually sure of why you are getting the lock-ups. Let's try a different log that shows a little more than HijackThis....

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

You could also try running a defrag within safe mode to clean-up your drive.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

1. Open My Computer.
2. Right-click the local disk volume that you want to defragment, and then click Properties.
3. On the Tools tab, click Defragment Now.
4. Click Defragment.

Please reply back with the Silent Runners Log.
JC

#13 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 21 October 2005 - 12:36 PM

Hi JC,

Yes, I used to use Norton AV. I hated it so I got rid of it and added AVG. I had a lot of trouble uninstalling Norton, so I'm not surprised that bits of it survived. Here is my silent runner log:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nTrayFw" = "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" ["NVIDIA Corporation"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "Martin Lin" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"M-Audio Ozone Control Panel Launcher" -> shortcut to: "C:\Program Files\M-Audio Ozone\OZTask.exe" ["M-Audio"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Martin Lin" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 23
%SystemRoot%\system32\mswsock.dll [MS], 03 - 06, 09 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

app_filter, app_filter, "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe" [empty string]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ForceWare IP service, nSvcIp, "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe" [null data]
ForceWare user log service, nSvcLog, "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe" [null data]
Forceware Web Interface, ForcewareWebInterface, ""C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice" ["Apache Software Foundation"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Ozone Installer, OzoneInstallerService, "C:\Program Files\M-Audio Ozone\Install\Ozinst.exe" ["Nemesis"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 85 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 7 seconds.
---------- (total run time: 110 seconds)

Thanks!

mtlin

#14 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:55 PM

Posted 21 October 2005 - 02:00 PM

mtlin: There wasn't anything showing in your HJT or the Silent Runners logs.

There are automated tools to get rid of Norton. I am not 100% sure that this is causing your lock-ups.
It could be any combination of things that you have loaded. I would suggest that you give the automated process a try.

Automated Removal Tools Can be found here:

Post 2003 products
Pre 2003 products

Why don't we run a couple of more scans to see if anything is picked up.
  • Please update and perform a full scan with Ad-aware and Spybot. Remove any objects found.
    Let me know if anything was found.
  • Please run ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.
Let me know if anything was found with the Spybot and Ad-aware scans.

JC

#15 mtlin

mtlin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 October 2005 - 06:53 PM

Hi JC,

Spybot and Adaware didn't find anything. Here are my latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:35 AM, on 10/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MS Technology] mswint2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [MS Technology] mswint2k.exe
O4 - HKCU\..\Run: [MS Technology] mswint2k.exe
O4 - HKCU\..\RunServices: [MS Technology] mswint2k.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129861339828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130177969250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{283DEFC0-7EEF-4DDA-9AFE-6244F3A2392D}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{29629DAC-EA99-479F-9546-78B76C57E9C7}: NameServer = 209.226.175.223,198.235.216.134
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Spyware:spyware/media-motor No disinfected Windows Registry
Spyware:Spyware/Media-motor No disinfected C:\!KillBox\mm63.ocx
Spyware:Spyware/Media-motor No disinfected C:\!KillBox\unstall.exe
Adware:Adware/Mirar No disinfected C:\!KillBox\WinNB57.dll
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws.exe[is.exe]
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\ws2.exe[is.exe]
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Virus:W32/Sdbot.FMM.worm Disinfected C:\WINDOWS\system32\mswint2k.exe


Thanks for your help!

mtlin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users