Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zblob Virus Assumed


  • This topic is locked This topic is locked
25 replies to this topic

#1 Element

Element

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 July 2006 - 12:51 AM

Well.
I got the virus.
I killed a lot of it with Ad-Aware SE Personal, Avast Anti-virus (60 day free trial >_>),.. and thats all.
My homepage is STILL at.. www.sysprotectionpage.net

And here is my Hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 12:42:01 AM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ws2ifsl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\ismon.exe
C:\WINDOWS\System32\isnotify.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trillian\trillian.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Patton\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [syshost] C:\WINDOWS\syshost.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINDOWS\System32\pmnqguh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Winsock2 IFS Layer (ws2ifsl) - Unknown owner - C:\WINDOWS\ws2ifsl.exe

Eh. I think I should also mention for some reason. I'm unable to open the command menu thing. (Ctrl-Alt-Delete) When I do that, it just goes away as soon as it appears...
And there is a pop-up at the bottom of my Windows XP, which is the virus thing, saying I should go to the certain site to remove the spyware.

Edited by KoanYorel, 23 July 2006 - 01:18 AM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 23 July 2006 - 05:46 AM

Welcome aboard.. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SmitfraudFix © S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Do NOT do anything with it yet!

---

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
---

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


---

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

Do NOT reboot yet.

----
  • Then please launch SpySweeper, by double-clicking the icon on your desktop.
  • If will ask you if you want to run the Diagnostic version of SpySweeper click YES.
  • You will receive a prompt telling you it's running in Diagnostic version. Click OK.
  • Click Options on the left side (towards the bottom).
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
    • Memory objects
    • Cookies
    • Compressed Files
    • System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
    • Enable Direct Disk Sweeping
    • Sweep for rootkits
  • Click OK. Click Start.
  • When it's done scanning, it will list any items found. Click Next.
  • Make sure everything found has a check next to it and click Next.
  • It will quarantine all items found.
  • Click Session Log in the lower left corner.
  • Click Save to File and save it on your desktop.
  • Close SpySweeper.
---

Now please reboot into Normal Windows.

A text file will appear onscreen, with results from the cleaning process post that log here (The report can also be found at the root of the system drive, usually at C:\rapport.txt) along with the contents of the session log you saved Spy Sweeper Session Log.txt (If for some reason you didn't save the log you can get to it by clicking Options on the left. Then, View Session Log will be listed under Other Options). :flowers:

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#3 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 July 2006 - 03:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:18:00 PM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Patton\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [syshost] C:\WINDOWS\syshost.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Winsock2 IFS Layer (ws2ifsl) - Unknown owner - C:\WINDOWS\ws2ifsl.exe


----------------------

SmitFraudFix v2.74

Scan done at 14:49:17.81, Sun 07/23/2006
Run from C:\Documents and Settings\Chris Patton\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\pmnqguh.dll -> Missing File


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Documents and Settings\Chris Patton\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CHRISP~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\CHRISP~1\STARTM~1\SpyQuake2.com 2.3.lnk Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



--------------------------



SmitFraudFix v2.74

Scan done at 14:49:17.81, Sun 07/23/2006
Run from C:\Documents and Settings\Chris Patton\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\pmnqguh.dll -> Missing File


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Documents and Settings\Chris Patton\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CHRISP~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\CHRISP~1\STARTM~1\SpyQuake2.com 2.3.lnk Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End





Well then. I did all of that. Still in safemode as I'm submitting this.
Going back to normal mode now.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 23 July 2006 - 03:54 PM

Post the SpySweeper log aswell (on normal mode -- NEVER connect to internet in Safe Mode). :thumbsup:
Hi there, stranger!

#5 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 July 2006 - 07:51 PM

3:16 PM: Removal process completed. Elapsed time 00:01:18
3:15 PM: Quarantining All Traces: trojan-downloader-2pursuit
3:15 PM: Quarantining All Traces: spyware quake
3:15 PM: Quarantining All Traces: great net downloadware
3:15 PM: Quarantining All Traces: pub cookie
3:15 PM: Quarantining All Traces: coolsavings cookie
3:15 PM: Quarantining All Traces: toplist cookie
3:15 PM: Quarantining All Traces: mygeek cookie
3:15 PM: Quarantining All Traces: webtrends cookie
3:15 PM: Quarantining All Traces: goclick cookie
3:15 PM: Quarantining All Traces: adprofile cookie
3:15 PM: Quarantining All Traces: yadro cookie
3:15 PM: Quarantining All Traces: xiti cookie
3:15 PM: Quarantining All Traces: burstbeacon cookie
3:15 PM: Quarantining All Traces: videodome cookie
3:15 PM: Quarantining All Traces: trafficmp cookie
3:15 PM: Quarantining All Traces: tracking cookie
3:15 PM: Quarantining All Traces: dealtime cookie
3:15 PM: Quarantining All Traces: serving-sys cookie
3:15 PM: Quarantining All Traces: adjuggler cookie
3:15 PM: Quarantining All Traces: reunion cookie
3:15 PM: Quarantining All Traces: pricegrabber cookie
3:15 PM: Quarantining All Traces: popuptraffic cookie
3:15 PM: Quarantining All Traces: partypoker cookie
3:15 PM: Quarantining All Traces: offeroptimizer cookie
3:15 PM: Quarantining All Traces: nextag cookie
3:15 PM: Quarantining All Traces: realmedia cookie
3:15 PM: Quarantining All Traces: monstermarketplace cookie
3:15 PM: Quarantining All Traces: military cookie
3:15 PM: Quarantining All Traces: ic-live cookie
3:15 PM: Quarantining All Traces: screensavers.com cookie
3:15 PM: Quarantining All Traces: hypertracker.com cookie
3:15 PM: Quarantining All Traces: clickandtrack cookie
3:15 PM: Quarantining All Traces: starware.com cookie
3:15 PM: Quarantining All Traces: gamespy cookie
3:15 PM: Quarantining All Traces: fe.lea.lycos.com cookie
3:15 PM: Quarantining All Traces: ru4 cookie
3:15 PM: Quarantining All Traces: go.com cookie
3:15 PM: Quarantining All Traces: did-it cookie
3:15 PM: Quarantining All Traces: overture cookie
3:15 PM: Quarantining All Traces: exitexchange cookie
3:15 PM: Quarantining All Traces: classmates cookie
3:15 PM: Quarantining All Traces: 2o7.net cookie
3:15 PM: Quarantining All Traces: casalemedia cookie
3:15 PM: Quarantining All Traces: burstnet cookie
3:15 PM: Quarantining All Traces: banner cookie
3:15 PM: Quarantining All Traces: banners cookie
3:15 PM: Quarantining All Traces: searchingbooth cookie
3:15 PM: Quarantining All Traces: a cookie
3:15 PM: Quarantining All Traces: azjmp cookie
3:15 PM: Quarantining All Traces: atwola cookie
3:15 PM: Quarantining All Traces: belnk cookie
3:15 PM: Quarantining All Traces: ask cookie
3:15 PM: Quarantining All Traces: askmen cookie
3:15 PM: Quarantining All Traces: tacoda cookie
3:15 PM: Quarantining All Traces: cc214142 cookie
3:15 PM: Quarantining All Traces: belointeractive cookie
3:15 PM: Quarantining All Traces: specificclick.com cookie
3:15 PM: Quarantining All Traces: hotbar cookie
3:15 PM: Quarantining All Traces: hbmediapro cookie
3:15 PM: Quarantining All Traces: adlegend cookie
3:15 PM: Quarantining All Traces: adknowledge cookie
3:15 PM: Quarantining All Traces: adecn cookie
3:15 PM: Quarantining All Traces: yieldmanager cookie
3:15 PM: Quarantining All Traces: about cookie
3:15 PM: Quarantining All Traces: websponsors cookie
3:15 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST346.tmp". Reason: The system cannot find the file specified
3:15 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
3:15 PM: Quarantining All Traces: websearch toolbar
3:15 PM: Quarantining All Traces: trojan-downloader-exfol
3:15 PM: Quarantining All Traces: trojan-downloader-moneymind
3:15 PM: Quarantining All Traces: virtumonde
3:15 PM: Quarantining All Traces: trojan agent winlogonhook
3:15 PM: Quarantining All Traces: winad
3:15 PM: Quarantining All Traces: ist yoursitebar
3:15 PM: Quarantining All Traces: ist software
3:14 PM: Quarantining All Traces: neededware
3:14 PM: Removal process initiated
3:14 PM: Traces Found: 153
3:14 PM: Full Sweep has completed. Elapsed time 00:21:38
3:14 PM: File Sweep Complete, Elapsed Time: 00:20:28
3:13 PM: Warning: Access violation at address 00401D58 in module 'SpySweeper.exe'. Read of address 7F8E000C
3:13 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
3:13 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C



(It repeats this for the LARGE majority of the Summary)
I erased a lot of the repeats. Since the Summary file size was about 212KB. Now (Got rid of all but 1) It is 18KB.


3:13 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
3:13 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
3:11 PM: Warning: Stream read error
3:10 PM: down.cab (ID = 87539)
3:10 PM: Warning: Stream read error
3:10 PM: Warning: Stream read error
3:10 PM: Warning: Stream read error
3:09 PM: osd4c.osd (ID = 70665)
3:09 PM: osd15.osd (ID = 70665)
3:09 PM: osd15.osd (ID = 70665)
3:09 PM: gc309.cnf (ID = 299109)
3:09 PM: Found Trojan Horse: trojan-downloader-2pursuit
3:07 PM: Warning: Failed to open file "c:\documents and settings\chris patton\recent\brandi1.lnk". The operation completed successfully
3:07 PM: Warning: Failed to open file "c:\documents and settings\chris patton\recent\omg!.lnk". The operation completed successfully
3:01 PM: a0155327.ini (ID = 298068)
3:01 PM: Found Adware: spyware quake
3:01 PM: webinstall.exe (ID = 59312)
3:01 PM: Found Adware: great net downloadware
2:54 PM: winstat11.dat (ID = 70669)
2:53 PM: Starting File Sweep
2:53 PM: Warning: Failed to access drive A:
2:53 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
2:53 PM: shannon esopenko@www.burstbeacon[2].txt (ID = 2335)
2:53 PM: shannon esopenko@pub[1].txt (ID = 3205)
2:53 PM: Found Spy Cookie: pub cookie
2:53 PM: shannon esopenko@nextag[1].txt (ID = 5014)
2:53 PM: shannon esopenko@msnportal.112.2o7[1].txt (ID = 1958)
2:53 PM: shannon esopenko@microsofteup.112.2o7[1].txt (ID = 1958)
2:53 PM: shannon esopenko@ic-live[1].txt (ID = 2821)
2:53 PM: shannon esopenko@hypertracker[1].txt (ID = 2817)
2:53 PM: shannon esopenko@homepage.belointeractive[1].txt (ID = 2295)
2:53 PM: shannon esopenko@dist.belnk[2].txt (ID = 2293)
2:53 PM: shannon esopenko@coolsavings[1].txt (ID = 2465)
2:53 PM: Found Spy Cookie: coolsavings cookie
2:53 PM: shannon esopenko@classmates[2].txt (ID = 2384)
2:53 PM: shannon esopenko@burstnet[2].txt (ID = 2336)
2:53 PM: shannon esopenko@belointeractive[1].txt (ID = 2294)
2:53 PM: shannon esopenko@belnk[1].txt (ID = 2292)
2:53 PM: shannon esopenko@banner[1].txt (ID = 2276)
2:53 PM: shannon esopenko@atwola[1].txt (ID = 2255)
2:53 PM: shannon esopenko@ath.belnk[2].txt (ID = 2293)
2:53 PM: shannon esopenko@ads.belointeractive[1].txt (ID = 2295)
2:53 PM: shannon esopenko@ad.yieldmanager[2].txt (ID = 3751)
2:53 PM: chris patton@yieldmanager[2].txt (ID = 3749)
2:53 PM: chris patton@toplist[1].txt (ID = 3557)
2:53 PM: Found Spy Cookie: toplist cookie
2:53 PM: chris patton@tacoda[1].txt (ID = 6444)
2:53 PM: chris patton@mygeek[2].txt (ID = 3041)
2:53 PM: Found Spy Cookie: mygeek cookie
2:53 PM: chris patton@m.webtrends[2].txt (ID = 3669)
2:53 PM: Found Spy Cookie: webtrends cookie
2:53 PM: chris patton@exitexchange[2].txt (ID = 2633)
2:53 PM: chris patton@count2.exitexchange[1].txt (ID = 2634)
2:53 PM: chris patton@c.goclick[2].txt (ID = 2733)
2:53 PM: Found Spy Cookie: goclick cookie
2:53 PM: chris patton@anad.tacoda[2].txt (ID = 6445)
2:53 PM: chris patton@adprofile[2].txt (ID = 2084)
2:53 PM: Found Spy Cookie: adprofile cookie
2:53 PM: chris patton@adecn[1].txt (ID = 2063)
2:53 PM: chris patton@ad2.adecn[1].txt (ID = 2064)
2:53 PM: chris patton@ad.yieldmanager[1].txt (ID = 3751)
2:53 PM: andy patton@www.burstnet[2].txt (ID = 2337)
2:53 PM: andy patton@www.burstbeacon[1].txt (ID = 2335)
2:53 PM: andy patton@burstnet[2].txt (ID = 2336)
2:53 PM: mack@yieldmanager[1].txt (ID = 3749)
2:53 PM: mack@yadro[2].txt (ID = 3743)
2:53 PM: Found Spy Cookie: yadro cookie
2:53 PM: mack@xiti[1].txt (ID = 3717)
2:53 PM: Found Spy Cookie: xiti cookie
2:53 PM: mack@www.screensavers[1].txt (ID = 3298)
2:53 PM: mack@www.burstnet[1].txt (ID = 2337)
2:53 PM: mack@www.burstbeacon[1].txt (ID = 2335)
2:53 PM: Found Spy Cookie: burstbeacon cookie
2:53 PM: mack@videodome[1].txt (ID = 3638)
2:53 PM: Found Spy Cookie: videodome cookie
2:53 PM: mack@try.starware[1].txt (ID = 3442)
2:53 PM: mack@trafficmp[2].txt (ID = 3581)
2:53 PM: Found Spy Cookie: trafficmp cookie
2:53 PM: mack@tracking[1].txt (ID = 3571)
2:53 PM: Found Spy Cookie: tracking cookie
2:53 PM: mack@temp2.adecn[1].txt (ID = 2064)
2:53 PM: mack@tacoda[2].txt (ID = 6444)
2:53 PM: mack@stat.dealtime[2].txt (ID = 2506)
2:53 PM: Found Spy Cookie: dealtime cookie
2:53 PM: mack@spapps.go[2].txt (ID = 2729)
2:53 PM: mack@serving-sys[2].txt (ID = 3343)
2:53 PM: Found Spy Cookie: serving-sys cookie
2:53 PM: mack@rotator.adjuggler[2].txt (ID = 2071)
2:53 PM: Found Spy Cookie: adjuggler cookie
2:53 PM: mack@reunion[2].txt (ID = 3255)
2:53 PM: Found Spy Cookie: reunion cookie
2:53 PM: mack@register.go[2].txt (ID = 2729)
2:53 PM: mack@psc.disney.go[1].txt (ID = 2729)
2:53 PM: mack@pricegrabber[1].txt (ID = 3185)
2:53 PM: Found Spy Cookie: pricegrabber cookie
2:53 PM: mack@popuptraffic[2].txt (ID = 3163)
2:53 PM: Found Spy Cookie: popuptraffic cookie
2:53 PM: mack@partypoker[2].txt (ID = 3111)
2:53 PM: Found Spy Cookie: partypoker cookie
2:53 PM: mack@partygaming.122.2o7[1].txt (ID = 1958)
2:53 PM: mack@offeroptimizer[1].txt (ID = 3087)
2:53 PM: Found Spy Cookie: offeroptimizer cookie
2:53 PM: mack@nextag[2].txt (ID = 5014)
2:53 PM: Found Spy Cookie: nextag cookie
2:53 PM: mack@network.realmedia[2].txt (ID = 3236)
2:53 PM: Found Spy Cookie: realmedia cookie
2:53 PM: mack@msnportal.112.2o7[1].txt (ID = 1958)
2:53 PM: mack@monstermarketplace[1].txt (ID = 3006)
2:53 PM: Found Spy Cookie: monstermarketplace cookie
2:53 PM: mack@military[1].txt (ID = 2996)
2:53 PM: Found Spy Cookie: military cookie
2:53 PM: mack@microsoftwga.112.2o7[1].txt (ID = 1958)
2:53 PM: mack@microsofteup.112.2o7[1].txt (ID = 1958)
2:53 PM: mack@ic-live[1].txt (ID = 2821)
2:53 PM: Found Spy Cookie: ic-live cookie
2:53 PM: mack@i.screensavers[1].txt (ID = 3298)
2:53 PM: Found Spy Cookie: screensavers.com cookie
2:53 PM: mack@hypertracker[1].txt (ID = 2817)
2:53 PM: Found Spy Cookie: hypertracker.com cookie
2:53 PM: mack@homepage.belointeractive[1].txt (ID = 2295)
2:53 PM: mack@hits.clickandtrack[2].txt (ID = 2397)
2:53 PM: Found Spy Cookie: clickandtrack cookie
2:53 PM: mack@h.starware[2].txt (ID = 3442)
2:53 PM: Found Spy Cookie: starware.com cookie
2:53 PM: mack@go[1].txt (ID = 2728)
2:53 PM: mack@gamespy[2].txt (ID = 2719)
2:53 PM: Found Spy Cookie: gamespy cookie
2:53 PM: mack@fe.lea.lycos[1].txt (ID = 2660)
2:53 PM: Found Spy Cookie: fe.lea.lycos.com cookie
2:53 PM: mack@familyfun.go[1].txt (ID = 2729)
2:53 PM: mack@exitexchange[1].txt (ID = 2633)
2:53 PM: mack@entrepreneur.122.2o7[1].txt (ID = 1958)
2:53 PM: mack@edge.ru4[2].txt (ID = 3269)
2:53 PM: Found Spy Cookie: ru4 cookie
2:53 PM: mack@dist.belnk[1].txt (ID = 2293)
2:53 PM: mack@disney.go[2].txt (ID = 2729)
2:53 PM: Found Spy Cookie: go.com cookie
2:53 PM: mack@did-it[2].txt (ID = 2523)
2:53 PM: Found Spy Cookie: did-it cookie
2:53 PM: mack@dealnews.122.2o7[1].txt (ID = 1958)
2:53 PM: mack@data4.perf.overture[1].txt (ID = 3106)
2:53 PM: mack@data2.perf.overture[2].txt (ID = 3106)
2:53 PM: Found Spy Cookie: overture cookie
2:53 PM: mack@count2.exitexchange[1].txt (ID = 2634)
2:53 PM: mack@count1.exitexchange[1].txt (ID = 2634)
2:53 PM: mack@count.exitexchange[1].txt (ID = 2634)
2:53 PM: Found Spy Cookie: exitexchange cookie
2:53 PM: mack@compsimgames.about[1].txt (ID = 2038)
2:53 PM: mack@cnn.122.2o7[1].txt (ID = 1958)
2:53 PM: mack@classmates[1].txt (ID = 2384)
2:53 PM: Found Spy Cookie: classmates cookie
2:53 PM: mack@charmingshoppes.112.2o7[1].txt (ID = 1958)
2:53 PM: Found Spy Cookie: 2o7.net cookie
2:53 PM: mack@casalemedia[1].txt (ID = 2354)
2:53 PM: Found Spy Cookie: casalemedia cookie
2:53 PM: mack@burstnet[1].txt (ID = 2336)
2:53 PM: Found Spy Cookie: burstnet cookie
2:53 PM: mack@belointeractive[2].txt (ID = 2294)
2:53 PM: mack@belnk[2].txt (ID = 2292)
2:53 PM: mack@banner[1].txt (ID = 2276)
2:53 PM: Found Spy Cookie: banner cookie
2:53 PM: mack@banners[2].txt (ID = 2282)
2:53 PM: Found Spy Cookie: banners cookie
2:53 PM: mack@banners.searchingbooth[1].txt (ID = 3322)
2:53 PM: Found Spy Cookie: searchingbooth cookie
2:53 PM: mack@a[1].txt (ID = 2027)
2:53 PM: Found Spy Cookie: a cookie
2:53 PM: mack@azjmp[1].txt (ID = 2270)
2:53 PM: Found Spy Cookie: azjmp cookie
2:53 PM: mack@atwola[2].txt (ID = 2255)
2:53 PM: Found Spy Cookie: atwola cookie
2:53 PM: mack@ath.belnk[2].txt (ID = 2293)
2:53 PM: Found Spy Cookie: belnk cookie
2:53 PM: mack@ask[2].txt (ID = 2245)
2:53 PM: Found Spy Cookie: ask cookie
2:53 PM: mack@askmen[1].txt (ID = 2247)
2:53 PM: Found Spy Cookie: askmen cookie
2:53 PM: mack@animals.about[1].txt (ID = 2038)
2:53 PM: mack@ancienthistory.about[1].txt (ID = 2038)
2:53 PM: mack@anat.tacoda[1].txt (ID = 6445)
2:53 PM: mack@anad.tacoda[2].txt (ID = 6445)
2:53 PM: Found Spy Cookie: tacoda cookie
2:53 PM: mack@ads.cc214142[2].txt (ID = 2367)
2:53 PM: Found Spy Cookie: cc214142 cookie
2:53 PM: mack@ads.belointeractive[2].txt (ID = 2295)
2:53 PM: Found Spy Cookie: belointeractive cookie
2:53 PM: mack@adopt.specificclick[2].txt (ID = 3400)
2:53 PM: Found Spy Cookie: specificclick.com cookie
2:53 PM: mack@adopt.hotbar[2].txt (ID = 4207)
2:53 PM: Found Spy Cookie: hotbar cookie
2:53 PM: mack@adopt.hbmediapro[2].txt (ID = 2768)
2:53 PM: Found Spy Cookie: hbmediapro cookie
2:53 PM: mack@adlegend[1].txt (ID = 2074)
2:53 PM: Found Spy Cookie: adlegend cookie
2:53 PM: mack@adknowledge[2].txt (ID = 2072)
2:53 PM: Found Spy Cookie: adknowledge cookie
2:53 PM: mack@adecn[1].txt (ID = 2063)
2:53 PM: Found Spy Cookie: adecn cookie
2:53 PM: mack@ad.yieldmanager[1].txt (ID = 3751)
2:53 PM: Found Spy Cookie: yieldmanager cookie
2:53 PM: mack@about[2].txt (ID = 2037)
2:53 PM: Found Spy Cookie: about cookie
2:53 PM: mack@a.websponsors[2].txt (ID = 3665)
2:53 PM: Found Spy Cookie: websponsors cookie
2:53 PM: Starting Cookie Sweep
2:53 PM: Registry Sweep Complete, Elapsed Time:00:00:15
2:53 PM: HKU\WRSS_Profile_S-1-5-21-1935655697-436374069-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {686c970f-1d7d-4469-85d1-4b35763b56cc} (ID = 146456)
2:53 PM: Found Adware: websearch toolbar
2:53 PM: HKU\S-1-5-21-1935655697-436374069-725345543-1005\software\aupdate\ (ID = 1047116)
2:53 PM: Found Trojan Horse: trojan-downloader-exfol
2:53 PM: HKU\S-1-5-21-1935655697-436374069-725345543-1005\software\xjado\ (ID = 144725)
2:53 PM: Found Trojan Horse: trojan-downloader-moneymind
2:53 PM: HKLM\system\currentcontrolset\services\dp1112\ (ID = 1138322)
2:53 PM: Found Adware: virtumonde
2:53 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
2:53 PM: Found Trojan Horse: trojan agent winlogonhook
2:53 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
2:53 PM: Found Adware: winad
2:53 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
2:53 PM: Found Adware: ist yoursitebar
2:53 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (ID = 147854)
2:53 PM: Found Adware: ist software
2:53 PM: HKCR\typelib\{375743f3-736c-4377-86b6-06618f1cd726}\ (ID = 135853)
2:53 PM: HKCR\typelib\{7acd8c16-81e3-4b54-95d6-6e8d600654c3}\ (ID = 135852)
2:53 PM: HKLM\software\ndwserv030104\ (ID = 135849)
2:53 PM: HKLM\software\classes\typelib\{375743f3-736c-4377-86b6-06618f1cd726}\ (ID = 135838)
2:53 PM: HKLM\software\classes\typelib\{7acd8c16-81e3-4b54-95d6-6e8d600654c3}\ (ID = 135837)
2:53 PM: HKLM\software\classes\epxactivex.epxactivexctrl.1\ (ID = 135831)
2:53 PM: HKLM\software\classes\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}\ (ID = 135828)
2:53 PM: HKLM\software\classes\clsid\{687d80d2-17e5-40df-a5a9-426dc36b6ad1}\ (ID = 135826)
2:53 PM: HKLM\software\classes\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}\ (ID = 135822)
2:53 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\version\ (ID = 135821)
2:53 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\typelib\ (ID = 135820)
2:53 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\ (ID = 135819)
2:53 PM: HKCR\epxactivex.epxactivexctrl.1\ (ID = 135812)
2:53 PM: HKCR\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}\ (ID = 135809)
2:53 PM: HKCR\clsid\{687d80d2-17e5-40df-a5a9-426dc36b6ad1}\ (ID = 135807)
2:53 PM: HKCR\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}\ (ID = 135803)
2:53 PM: HKCR\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\ (ID = 135802)
2:53 PM: Found Adware: neededware
2:52 PM: Starting Registry Sweep
2:52 PM: Memory Sweep Complete, Elapsed Time: 00:00:29
2:52 PM: Starting Memory Sweep
2:52 PM: Sweep initiated using definitions version 691
2:52 PM: Spy Sweeper 5.0.5.1286 started
2:52 PM: | Start of Session, Sunday, July 23, 2006 |
********
2:52 PM: | End of Session, Sunday, July 23, 2006 |
2:51 PM: Program Version 5.0.5.1286 Using Spyware Definitions 691
2:50 PM: Spy Sweeper 5.0.5.1286 started
2:50 PM: | Start of Session, Sunday, July 23, 2006 |
********

Edited by Element, 23 July 2006 - 07:57 PM.


#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 24 July 2006 - 03:51 AM

Alrighty.. Go ahead and delete SmitFraudFix and uninstall SpySweeper if you wish. :thumbsup:

---

Please run a scan with HijackThis and check the following object for removal if present:

O4 - HKLM\..\Run: [syshost] C:\WINDOWS\syshost.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

---

Next, please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "Winsock2 IFS Layer"
sc delete ws2ifsl


Double-click on Removeservice.bat. A window will pop up and close. This is normal. Reboot the computer.

---

After the reboot, navigate to and delete the following files if present:

C:\WINDOWS\syshost.exe
C:\WINDOWS\ws2ifsl.exe


Empty recycle bin.

---

Rename HijackThis.exe to Scan.exe or something similar, then post back with a fresh log. :flowers:
Hi there, stranger!

#7 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 24 July 2006 - 04:45 AM

Logfile of HijackThis v1.99.1
Scan saved at 4:43:47 AM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Patton\Desktop\Scan.exe.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22B37DD2-A389-448A-997A-3A0E8BC6FB42} - C:\WINDOWS\System32\gebyy.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\putwfdrd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g6637562.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PsapiAnalyzer Object - {ABEA5B76-4871-4F88-99D7-815E600C5C53} - c:\windows\system\sdrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll
O20 - Winlogon Notify: infowin - C:\WINDOWS\AppPatch\infowin.dll
O20 - Winlogon Notify: sdrv - c:\windows\system\sdrv.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Why does ws2ifsl.exe keep regenerating itself? I've deleted it, it reappears. I've hacked up its coding, it reappears. >_<

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 24 July 2006 - 04:58 AM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Check the Run VundoFix as a task box.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log. :thumbsup:

Hi there, stranger!

#9 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 24 July 2006 - 12:58 PM

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 12:50:04 PM 7/24/2006

Listing files found while scanning....

C:\windows\system32\fccdded.dll
C:\windows\system32\gebyy.dll
C:\windows\system32\yybeg.ini
C:\windows\system32\yybeg.bak1
C:\windows\system32\yybeg.bak2
C:\windows\system32\yybeg.ini2
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\fccdded.dll
C:\windows\system32\fccdded.dll Has been deleted!

Attempting to delete C:\windows\system32\gebyy.dll
C:\windows\system32\gebyy.dll Could not be deleted.

Attempting to delete C:\windows\system32\yybeg.ini
C:\windows\system32\yybeg.ini Has been deleted!

Attempting to delete C:\windows\system32\yybeg.bak1
C:\windows\system32\yybeg.bak1 Has been deleted!

Attempting to delete C:\windows\system32\yybeg.bak2
C:\windows\system32\yybeg.bak2 Has been deleted!

Attempting to delete C:\windows\system32\yybeg.ini2
C:\windows\system32\yybeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 12:57:19 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Chris Patton\Desktop\Scan.exe.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182856DD-FCC5-443A-8638-49DEB170C681} - C:\WINDOWS\System32\gebyy.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\putwfdrd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g6637562.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PsapiAnalyzer Object - {ABEA5B76-4871-4F88-99D7-815E600C5C53} - c:\windows\system\sdrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll
O20 - Winlogon Notify: infowin - C:\WINDOWS\AppPatch\infowin.dll
O20 - Winlogon Notify: sdrv - c:\windows\system\sdrv.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

....

#10 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 24 July 2006 - 01:25 PM

I ran Vundo again in safemode. Unfortunately it didn't save the logfile.
But I ran it again when it rebooted.


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 1:17:04 PM 7/24/2006

Listing files found while scanning....

No infected files were found.



Logfile of HijackThis v1.99.1
Scan saved at 1:24:12 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Patton\Desktop\Scan.exe.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\putwfdrd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g6637562.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PsapiAnalyzer Object - {ABEA5B76-4871-4F88-99D7-815E600C5C53} - c:\windows\system\sdrv.dll
O2 - BHO: (no name) - {E1CE41DF-7F8E-4817-A257-6799569534C8} - C:\WINDOWS\System32\gebyy.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - Winlogon Notify: infowin - C:\WINDOWS\AppPatch\infowin.dll
O20 - Winlogon Notify: sdrv - c:\windows\system\sdrv.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 25 July 2006 - 04:15 AM

Looks like a new Vundo variant....
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files
  • Copy & paste the 2 entries below into the top 2 boxes:
    • c:\windows\system\sdrv.dll
    • c:\windows\system\vrds.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
---

Now surf here: www.virustotal.com

In to the blank field next to the "Browse" button, paste this in:

C:\WINDOWS\AppPatch\infowin.dll

Hit "Send File" and wait patiently until all the scanners are finished. Post back with:

- The contents of C:\vundofix.txt log

- The Virustotal file scan results

- A fresh HijackThis log.
:thumbsup:

Edited by Rawe, 25 July 2006 - 04:18 AM.

Hi there, stranger!

#12 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 25 July 2006 - 11:10 AM

Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.24.2006 no virus found
BitDefender 7.2 07.25.2006 no virus found
CAT-QuickHeal 8.00 07.25.2006 no virus found
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb n - no virus found
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.24.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 no virus found
McAfee 4813 07.24.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 no virus found
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 Suspicious file
Sophos 4.07.0 07.25.2006 no virus found
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.24.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found

------------------------------------------------------
No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete c:\windows\system\sdrv.dll
c:\windows\system\sdrv.dll Has been deleted!

Performing Repairs to the registry.
Done!
-----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:09:42 AM, on 7/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Chris Patton\Desktop\Scan.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\putwfdrd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g6637562.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PsapiAnalyzer Object - {ABEA5B76-4871-4F88-99D7-815E600C5C53} - c:\windows\system\sdrv.dll (file missing)
O2 - BHO: (no name) - {E1CE41DF-7F8E-4817-A257-6799569534C8} - C:\WINDOWS\System32\gebyy.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - Winlogon Notify: infowin - C:\WINDOWS\AppPatch\infowin.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 26 July 2006 - 04:37 AM

Well then.. Lets continue. Really good progressing this far :thumbsup:

---

Please surf here: http://www.uploadmalware.com

Fill in the blanks, to the "Topic Where File Was Requested", paste this in: http://www.bleepingcomputer.com/forums/t/59689/zblob-virus-assumed/

To the files to submit, paste this in: C:\Vundofix Backups\sdrv.dll

To the Comments or further info box, paste in: A new Vundo object -- check the topic.

Thank you :flowers:

---

Then with the rest of cleaning... Do you have an active Anti-virus client running?

If not..

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

---

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :huh:

Hi there, stranger!

#14 Element

Element
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 July 2006 - 01:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:35:46 PM, on 7/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Patton\Desktop\Scan.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\whadtmpg.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g6637562.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PsapiAnalyzer Object - {ABEA5B76-4871-4F88-99D7-815E600C5C53} - c:\windows\system\sdrv.dll (file missing)
O2 - BHO: (no name) - {E1CE41DF-7F8E-4817-A257-6799569534C8} - C:\WINDOWS\System32\gebyy.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - Winlogon Notify: infowin - C:\WINDOWS\AppPatch\infowin.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Incident Status Location

Adware:Adware/Miamore Not disinfected C:\WINDOWS\g6637562.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\System32\putwfdrd.dll
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2339.exe
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/secure32 Not disinfected C:\WINDOWS\System32\drivers\etc\hosts
Removed the cookies from the list because I removed them with Ad-Aware SE Personal.
I'm currently using the 60 day free trial of "Avast!" Anti-virus... for the 3rd or so time >_>

Edited by Element, 26 July 2006 - 01:42 PM.


#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:44 PM

Posted 26 July 2006 - 02:27 PM

I'm currently using the 60 day free trial of "Avast!" Anti-virus... for the 3rd or so time >_>

Umm why haven't you installed the completely free home edition of Avast?

http://www.avast.com/eng/avast_4_home.html :thumbsup:

---

Download Hoster.zip:
  • Unzip Hoster to a convenient folder such as C:\Hoster.
  • Run Hoster.exe from its new home.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Original Hosts and then click OK.
  • Click the X to exit the program.
---

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\g6637562.dll
    C:\WINDOWS\System32\putwfdrd.dll
    c:\windows\downloaded program files\gdnUS2339.exe
    C:\WINDOWS\AppPatch\infowin.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

---

Post back a fresh log.. And hows the system running now :flowers:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users