Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo.c


  • This topic is locked This topic is locked
10 replies to this topic

#1 pupil82

pupil82

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 20 February 2006 - 05:51 PM

Hello,
I have norton 2006
spybod S&D 1.4
Ad-aware se
Registry Mechanic 5
System Mechanic 6
and Windows Defender Beta 2
I have found with defender virtumondo.c and it will not go away
here is my hijackthis text
if you can please help
thanks
dan

Logfile of HijackThis v1.99.1
Scan saved at 5:44:15 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Daniel Desmond.DANEBOY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/cgi-bin/mwwod.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] c:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [System Startup] voltio.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [System Startup] voltio.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...jsp?forceLoad=1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094684716796
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:03:01 PM

Posted 21 February 2006 - 05:17 AM

Hi and welcome to BleepingComputer Posted Image

I'm Jet Ian Posted Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 pupil82

pupil82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 21 February 2006 - 01:22 PM

Hey jet i really appricate it :thumbsup: take as much time as you need
thanks
dan

#4 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:03:01 PM

Posted 23 February 2006 - 06:44 PM

Roger that. Posted Image

----------------

Thanks for being patient.

==========================================================

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Please create a new folder on your Desktop by:
  • Right-click anywhere on your Desktop.
  • Select New Folder.
  • Name it as HJT.
Then place the HijackThis files in that folder. Run it there from now on.

==========================================================

Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt on your next reply.
==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

O4 - HKLM\..\Run: [System Startup] voltio.exe
O4 - HKLM\..\RunServices: [System Startup]
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...jsp?forceLoad=1


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Show Hidden Files and Folders
  • Click Start.
  • Open My Computer.
  • Click the Tools menu.
  • Click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
==========================================================

Boot into Safe Mode. Please restart your computer and as soon as it starts to boot, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

==========================================================

Delete Files and Folders

Please click Start Search For Files and Folders, and then search and delete this file:
  • voltio.exe
NOTE: Please let us know if there were any files or folders that you couldn't delete or find.

==========================================================

Restart back to Normal now.

==========================================================

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Save the log file created to your Desktop.
==========================================================

Please post this log(s) on your next reply:
  • HijackThis (new)
  • Panda
  • Vundo Fix log (C:\vundofix.txt[/b])
Please also provide details of any problems you encountered while performing the above steps and update us on how the computer behaves now.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#5 pupil82

pupil82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 24 February 2006 - 02:45 PM

hey here it is
for some reason it unregisterd my norton but i can fix that
but this is the results

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 PM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\Daniel Desmond.DANEBOY\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/cgi-bin/mwwod.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] c:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094684716796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



here is panda

Incident Status Location

Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5229df01-144d518f.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv478.jar-22c6c7bd-20edaeb3.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv478.jar-22c6c7bd-20edaeb3.zip[Matrix.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv527.jar-4f16b062-11581b5f.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv527.jar-4f16b062-11581b5f.zip[Matrix.class]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ad.yieldmanager[3].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ads.pointroll[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adultfriendfinder[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adultfriendfinder[3].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ath.belnk[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@azjmp[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@banners.searchingbooth[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@banner[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@banner[3].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@belnk[1].txt
Spyware:Cookie/Allthatsearch Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@BigBlue[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@casalemedia[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@com[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@dist.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@dist.belnk[3].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@i.screensavers[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@kinghost[3].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@maxserving[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@microsofteup.112.2o7[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@paypopup[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@searchportal.information[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@serving-sys[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@stats1.reliablestats[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@stats1.reliablestats[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@target[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@www.burstbeacon[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@zedo[2].txt
Virus:JS/Exploit.C Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\8TUVOT6N\bag[1].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\8TUVOT6N\fillmemadv640[1].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[1].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[2].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[3].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[4].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[5].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[6].htm
Virus:Exploit/BodyOnLoad Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Local Settings\Temporary Internet Files\Content.IE5\AH5IF210\fillmemadv640[7].htm
Virus:Trj/Downloader.FNP Not disinfected C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
Virus:Trj/Zapchast.D Not disinfected C:\WINDOWS\system32\c.bat
Virus:W32/Sasser.ftp Not disinfected C:\WINDOWS\system32\cmd.ftp


here is the vundo



VundoFix V4.2.26
Scan started at 11:32:31 PM 2/23/2006

Listing files found while scanning....

C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp

C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.tmp Has been deleted!

Performing Repairs to the registry.
Done!


i hope everything works thanks!

when i ran a search for voltio.exe i could not find any:( but it might of been deleted i do not know

#6 pupil82

pupil82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 24 February 2006 - 03:33 PM

i ran some scans and i could not find the virtumondo.c any more though just as a side note

#7 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:03:01 PM

Posted 25 February 2006 - 04:59 AM

http://www.bleepingcomputer.com/forums/ind...=0&#entry243033

Very good pupil82, everything in the plan works. We've got Vundo out, we'll just make a cleanup now, and we'll get rid of those Panda found.

Oh and before I forget, you said Norton unregistered itself, if you want you can just use AVG Free. I use it and it's free - but the choice is yours.

Also, do you use PartyPoker? Ok, on to the fix...

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
Click Exit on the Main menu to close the program.

==========================================================

Boot into Safe Mode and delete these files:C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
C:\WINDOWS\system32\c.bat
C:\WINDOWS\system32\cmd.ftp
==========================================================

Restart back to Normal.

==========================================================

Scan with Panda again. And then post the new results of it here along with a new HijackThis log.

Also tell us how the computer is running now.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#8 pupil82

pupil82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 26 February 2006 - 06:52 PM

Hello sorry it took so long
i tried party poker but i do not use it any more
also i did not find \WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
here are my scans

Logfile of HijackThis v1.99.1
Scan saved at 6:50:15 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\runservice.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel Desmond.DANEBOY\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/cgi-bin/mwwod.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] c:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094684716796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe



Incident Status Location

Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5229df01-144d518f.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv478.jar-22c6c7bd-20edaeb3.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv478.jar-22c6c7bd-20edaeb3.zip[Matrix.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv527.jar-4f16b062-11581b5f.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv527.jar-4f16b062-11581b5f.zip[Matrix.class]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adrevolver[3].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@adultfriendfinder[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ath.belnk[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@casalemedia[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@dist.belnk[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@i.screensavers[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@kinghost[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@microsofteup.112.2o7[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@paypopup[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@realmedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@stats1.reliablestats[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@target[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Daniel Desmond.DANEBOY\Cookies\daniel desmond@www.burstbeacon[2].txt


i did run an avg scan to see and it got rid of one thing for me
the performance is a little faster, and the pop ups are totally gone
thanks!
dan

#9 pupil82

pupil82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bridgeport, WV
  • Local time:02:01 AM

Posted 09 March 2006 - 04:28 PM

should i close this at all or i am not sure what to do i didnt know if i am fixed
thanks
dan

#10 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:03:01 PM

Posted 31 March 2006 - 12:17 AM

I'm very sorry for the delay pupil,
I lost my email notification to this topic so I was not able to check it again.

===================================================

Go to Start > Run > tpye: regsvr32 /u occache.dll > OK

===================================================

Clear Java's Cache
  • Go to Start Control Panel Java.
  • Under Temporary Internet Files, click on the Delete Files button.
  • Tick all 3 boxes, and then click OK.
  • Let it finish, and then click OK to exit.
===================================================

Clear IE's Cookies
  • Open Internet Explorer.
  • Click Tools Internet Options.
  • Click the Delete Cookies button, then click OK.
  • Then click OK to exit.
===================================================

Find and delete:

C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll

===================================================

Go to Start > Run > tpye: regsvr32 occache.dll > OK

===================================================

Then please post a new HJT log.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#11 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:03:01 PM

Posted 07 April 2006 - 07:30 AM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Jet Ian
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users