Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections - Virtumonde; Winantivirus; Winfixer; Astakiller; Etc.


  • Please log in to reply
9 replies to this topic

#1 tk1

tk1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 28 August 2006 - 12:23 AM

I've followed the posted instructions as best that I could. I've cleaned out files, repeatedly run Ad-Aware SE and SpyBot S&D, and also CounterSpy. It would supposedly delete everything but the malware would re-appear. I ran Panda Anti-Virus and Bit Defender. Couldn't get Housecall AV to work. I did run my own Norton AV. Also ran McAfee AVERT Stinger, which didn't seem to find anything. I have the 2Wire HomePortal firewall turned on and am running WinXP SP2 with latest patches.

WinFixer used to pop-up all the time but now it's mostly WinAntiVirusPro 2006. Other malware identified but unable to be cleaned include Smitfraud-C.toolbar 888 and AstaKiller. Sysprotect also showed up.

In addition to posting my hijackthis log, I've also posted the results of the other tools. Sorry if I'm posting too much info.

Thanks in advance for advise on next steps.

Below are the results of my Norton AV scan first thing today:
Filename Virus Name Virus Type Action Taken Original Location Status Current Location
xkioiwsm.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
xbwluqio.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
wwluksaf.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
wniorayl.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
vxmxjxfr.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
vwpshans.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
vvwwxhle.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
vvijsycq.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
vdgdlanr.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
uyolycha.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
typkojjx.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
tvjgghxy.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
trmfnwoa.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
tfcyeopk.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
sviargpt.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
ssqroon.dll Trojan.Awax File Left alone C:\WINDOWS\SYSTEM32\ Infected C:\WINDOWS\SYSTEM32\
sovnqtlw.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
sfpfldtw.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
rjnkhxuk.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
rdejusqy.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
qhgcusnv.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
qcugdgaf.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
pwqakmfh.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
oxnscmnf.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
ocldkcef.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
nsyqwjls.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
nemlfakc.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
mlyolquq.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
mljiawky.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
lrsumqli.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
kvcojcyh.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
hxsmsiad.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
gvnntdqo.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
giioaapb.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
fypfqixp.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
fpigfchl.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
fafqxdei.exe Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
dygtsxap.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
DP.sys Trojan Horse File Quarantined C:\WINDOWS\SYSTEM32\DRIVERS\ Infected Quarantine
byrkvaoo.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
bnykhcht.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
bgjjskmi.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine
awvtq.dll Trojan.Vundo File Left alone C:\WINDOWS\SYSTEM32\ Infected C:\WINDOWS\SYSTEM32\
aabpcrre.exe Trojan.Zlob File Quarantined C:\WINDOWS\SYSTEM32\ Infected Quarantine


Below are some results from SpyBot S&D:
Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

VirtuMonde: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MSEvents.MSEvents

VirtuMonde: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MSEvents.MSEvents.1

VirtuMonde: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}

VirtuMonde: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}

AstaKiller: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}


Below is my Bit Defender log:
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0002_N91M1708NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0002_N91M1708NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\SYSTEM32\awvtq.dll
Infected with: Trojan.Vundo.544788.DLL

C:\WINDOWS\SYSTEM32\byscnwev.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\cberiaso.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\cemktjux.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\cimvsunw.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\dyedvjmv.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\eerivdmr.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\fitkbdva.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\fljhhhkq.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\fsmvpaeb.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\fvswqlfa.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\hnkeibcv.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\ijusheyq.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\jgsjlmfs.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\kqahnbhc.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\kssvqwom.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\lmokqkjj.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\mtcbvebc.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\nsueuslb.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\ojwaenhk.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\qcaqxqkg.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\raurngaw.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\sabhmqsd.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\sayowamv.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\sjaxearf.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\tjfdwqjw.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\ufuxfkqj.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\vqxhdvfk.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\wcbefayc.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\wqenubcn.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\yefhagfx.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\yexnimuj.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\yowkwtsy.exe
Infected with: Trojan.Adload.MAS

C:\WINDOWS\SYSTEM32\yqnvwqra.exe
Infected with: Trojan.Adload.MAS


Below is my Panda activescan log:
Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awvtq.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USYP_0002_N91M1708NetInstaller.exe
Hacktool:rootkit/zaqt.a Not disinfected hkey_local_machine\system\currentcontrolset\services\DP1112
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/sysprotect


Below is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:51:29 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2174BE36-8D38-4905-AA2F-43D3863F3771} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {2FAE5098-E47C-472D-8D65-607395FBD91d} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqroon.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\awvtq.dll
O2 - BHO: (no name) - {9056C7CF-A0D4-4C81-B20C-1785A1361730} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {E34411DB-025F-4372-9348-BC88E5BC16A4} - C:\WINDOWS\system32\wttetnbx.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/...installerAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129494395109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll
O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ssqroon - C:\WINDOWS\SYSTEM32\ssqroon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 28 August 2006 - 07:52 AM

Hello tk1

Like to take a look at this log, I'll get back you you as soon as I can.

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 29 August 2006 - 10:31 AM

Hello tk1

Copy and Paste this post into a new text document or print it for reference

Step 1.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Step 2.

Please Update your Sun Java console

Close any programmes you may have running, ESPECIALLY your web browser
Then using Add/Remove Select any item with Java Runtime Environment (JRE) in the name and uninstall.
Repeat as many times as necessary to remove all versions of Java from your system.

Reboot your computer

Then CLICK HERE select the Download button next to "J2SE Runtime Environment (JRE) 5.0 Update 8"

Posted Image

"Accept" the License Agreement Then choose the First download link Windows Offline Installation, Multi-language

You must Install this version Offline

Reboot your System


Step 3.

Download Ewido Anti-Spyware
http://www.ewido.net/en/download/

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Ewido Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Ewido automatically updates the spyware definitions if you are connected to the net during installation.
As a precaution, click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close Ewido.
Note: If you have any problems with the updater, you can Update Ewido Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen Ewido Anti-Spyware and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 4.

1/ Create a folder in the root of your C: drive and name it Blacklight.
A brief explanation of how to do this can be found here.

2/ Download F-Secure's BlackLight from here and save it into this folder.

3/ Log off from the internet and disconnect your modem cable.

4/ Go to Start > Run, copy and paste the following into the text box and hit OK:
"C:\Blacklight\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click OK.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into your next post.
Please Re-Scan with Hijack This and post

1/ The new HijackThis log
2/ The Ewido Report-Scan.txt
3/ The BlackLight Report

ourwilly

#4 tk1

tk1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 29 August 2006 - 12:36 PM

Per Step 1 below are the two logs. Note: I didn't see the "Run VundoFix as a task" option so I wasn't able to do it that way. I'll next move onto Step 2.

Contents of VundoFix.txt:
VundoFix V6.1.2

Checking Java version...

Scan started at 12:01:49 PM 8/29/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awvtq.dll
C:\WINDOWS\SYSTEM32\qtvwa.ini
C:\WINDOWS\SYSTEM32\qtvwa.bak1
C:\WINDOWS\SYSTEM32\qtvwa.bak2
C:\WINDOWS\SYSTEM32\qtvwa.ini2
C:\WINDOWS\SYSTEM32\qtvwa.tmp
C:\WINDOWS\SYSTEM32\ssqroon.dll
C:\WINDOWS\SYSTEM32\byscnwev.exe
C:\WINDOWS\SYSTEM32\cberiaso.exe
C:\WINDOWS\SYSTEM32\cemktjux.exe
C:\WINDOWS\SYSTEM32\cimvsunw.exe
C:\WINDOWS\SYSTEM32\dyedvjmv.exe
C:\WINDOWS\SYSTEM32\eerivdmr.exe
C:\WINDOWS\SYSTEM32\fitkbdva.exe
C:\WINDOWS\SYSTEM32\fljhhhkq.exe
C:\WINDOWS\SYSTEM32\fsmvpaeb.exe
C:\WINDOWS\SYSTEM32\hnkeibcv.exe
C:\WINDOWS\SYSTEM32\jgsjlmfs.exe
C:\WINDOWS\SYSTEM32\kqahnbhc.exe
C:\WINDOWS\SYSTEM32\kssvqwom.exe
C:\WINDOWS\SYSTEM32\mtcbvebc.exe
C:\WINDOWS\SYSTEM32\nsueuslb.exe
C:\WINDOWS\SYSTEM32\ojwaenhk.exe
C:\WINDOWS\SYSTEM32\qcaqxqkg.exe
C:\WINDOWS\SYSTEM32\raurngaw.exe
C:\WINDOWS\SYSTEM32\sabhmqsd.exe
C:\WINDOWS\SYSTEM32\sayowamv.exe
C:\WINDOWS\SYSTEM32\sjaxearf.exe
C:\WINDOWS\SYSTEM32\tjfdwqjw.exe
C:\WINDOWS\SYSTEM32\ufuxfkqj.exe
C:\WINDOWS\SYSTEM32\vqxhdvfk.exe
C:\WINDOWS\SYSTEM32\wcbefayc.exe
C:\WINDOWS\SYSTEM32\wqenubcn.exe
C:\WINDOWS\SYSTEM32\yefhagfx.exe
C:\WINDOWS\SYSTEM32\yexnimuj.exe
C:\WINDOWS\SYSTEM32\yowkwtsy.exe
C:\WINDOWS\qaz4.txt

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awvtq.dll
C:\WINDOWS\SYSTEM32\awvtq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.ini
C:\WINDOWS\SYSTEM32\qtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.bak1
C:\WINDOWS\SYSTEM32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.bak2
C:\WINDOWS\SYSTEM32\qtvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.ini2
C:\WINDOWS\SYSTEM32\qtvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.tmp
C:\WINDOWS\SYSTEM32\qtvwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssqroon.dll
C:\WINDOWS\SYSTEM32\ssqroon.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\byscnwev.exe
C:\WINDOWS\SYSTEM32\byscnwev.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cberiaso.exe
C:\WINDOWS\SYSTEM32\cberiaso.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cemktjux.exe
C:\WINDOWS\SYSTEM32\cemktjux.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cimvsunw.exe
C:\WINDOWS\SYSTEM32\cimvsunw.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\dyedvjmv.exe
C:\WINDOWS\SYSTEM32\dyedvjmv.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\eerivdmr.exe
C:\WINDOWS\SYSTEM32\eerivdmr.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fitkbdva.exe
C:\WINDOWS\SYSTEM32\fitkbdva.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fljhhhkq.exe
C:\WINDOWS\SYSTEM32\fljhhhkq.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fsmvpaeb.exe
C:\WINDOWS\SYSTEM32\fsmvpaeb.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hnkeibcv.exe
C:\WINDOWS\SYSTEM32\hnkeibcv.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jgsjlmfs.exe
C:\WINDOWS\SYSTEM32\jgsjlmfs.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kqahnbhc.exe
C:\WINDOWS\SYSTEM32\kqahnbhc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kssvqwom.exe
C:\WINDOWS\SYSTEM32\kssvqwom.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\mtcbvebc.exe
C:\WINDOWS\SYSTEM32\mtcbvebc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\nsueuslb.exe
C:\WINDOWS\SYSTEM32\nsueuslb.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ojwaenhk.exe
C:\WINDOWS\SYSTEM32\ojwaenhk.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qcaqxqkg.exe
C:\WINDOWS\SYSTEM32\qcaqxqkg.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\raurngaw.exe
C:\WINDOWS\SYSTEM32\raurngaw.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sabhmqsd.exe
C:\WINDOWS\SYSTEM32\sabhmqsd.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sayowamv.exe
C:\WINDOWS\SYSTEM32\sayowamv.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sjaxearf.exe
C:\WINDOWS\SYSTEM32\sjaxearf.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tjfdwqjw.exe
C:\WINDOWS\SYSTEM32\tjfdwqjw.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ufuxfkqj.exe
C:\WINDOWS\SYSTEM32\ufuxfkqj.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vqxhdvfk.exe
C:\WINDOWS\SYSTEM32\vqxhdvfk.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wcbefayc.exe
C:\WINDOWS\SYSTEM32\wcbefayc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wqenubcn.exe
C:\WINDOWS\SYSTEM32\wqenubcn.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yefhagfx.exe
C:\WINDOWS\SYSTEM32\yefhagfx.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yexnimuj.exe
C:\WINDOWS\SYSTEM32\yexnimuj.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yowkwtsy.exe
C:\WINDOWS\SYSTEM32\yowkwtsy.exe Has been deleted!

Attempting to delete C:\WINDOWS\qaz4.txt
C:\WINDOWS\qaz4.txt Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.1.2

Checking Java version...

Scan started at 12:12:14 PM 8/29/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awvtq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awvtq.dll
C:\WINDOWS\SYSTEM32\awvtq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Scan started at 12:17:54 PM 8/29/2006

Listing files found while scanning....

No infected files were found.



HiJackThis log after running VundoFix:
Logfile of HijackThis v1.99.1
Scan saved at 12:22:01 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2174BE36-8D38-4905-AA2F-43D3863F3771} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {2FAE5098-E47C-472D-8D65-607395FBD91d} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqroon.dll (file missing)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {9056C7CF-A0D4-4C81-B20C-1785A1361730} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {E34411DB-025F-4372-9348-BC88E5BC16A4} - C:\WINDOWS\system32\wttetnbx.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/...installerAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129494395109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#5 tk1

tk1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 29 August 2006 - 02:50 PM

I've completed Steps 2-4. Below are the 3 requested logs.

New HiJackThis log after completing steps 2-4:
Logfile of HijackThis v1.99.1
Scan saved at 2:40:28 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2174BE36-8D38-4905-AA2F-43D3863F3771} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {2FAE5098-E47C-472D-8D65-607395FBD91d} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqroon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {9056C7CF-A0D4-4C81-B20C-1785A1361730} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {E34411DB-025F-4372-9348-BC88E5BC16A4} - C:\WINDOWS\system32\wttetnbx.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/...installerAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129494395109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Ewido Report-Scan.txt:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:02:00 PM 8/29/2006

+ Scan result:



HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup (quarantined).
C:\VundoFix Backups\awvtq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-316908308-1137208510-3845642587-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\ieatgpc.dll -> Adware.WebEx : Cleaned with backup (quarantined).
HKU\S-1-5-21-316908308-1137208510-3845642587-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\VundoFix Backups\byscnwev.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\cberiaso.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\cemktjux.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\eerivdmr.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\fsmvpaeb.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\hnkeibcv.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\kqahnbhc.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\kssvqwom.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\mtcbvebc.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\nsueuslb.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\ojwaenhk.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\qcaqxqkg.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\sayowamv.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\sjaxearf.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\tjfdwqjw.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\ufuxfkqj.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\vqxhdvfk.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\wqenubcn.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\yexnimuj.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\yowkwtsy.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0002_N91M1708NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0002_N91M1708NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\VundoFix Backups\cimvsunw.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\dyedvjmv.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\fitkbdva.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\fljhhhkq.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\jgsjlmfs.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\raurngaw.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\sabhmqsd.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\wcbefayc.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\yefhagfx.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\fvswqlfa.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ijusheyq.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\lmokqkjj.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\yqnvwqra.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).


::Report end


BlackLight report:
08/29/06 14:11:49 [Info]: BlackLight Engine 1.0.46 initialized
08/29/06 14:11:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/29/06 14:11:49 [Note]: 7019 4
08/29/06 14:11:49 [Note]: 7005 0
08/29/06 14:12:01 [Note]: 7006 0
08/29/06 14:12:01 [Note]: 7022 0
08/29/06 14:12:01 [Note]: 7011 1680
08/29/06 14:12:01 [Note]: 7026 0
08/29/06 14:12:01 [Note]: 7026 0
08/29/06 14:12:01 [Note]: FSRAW library version 1.7.1019
08/29/06 14:39:56 [Note]: 7007 0

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 30 August 2006 - 09:32 AM

Hello tk1

Copy and Paste this post into a new text document or print it for reference

Step 1

Please Re-Scan with HijackThis and place a "checkmark" next to these entries:

O2 - BHO: (no name) - {2174BE36-8D38-4905-AA2F-43D3863F3771} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {2FAE5098-E47C-472D-8D65-607395FBD91d} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqroon.dll (file missing)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {9056C7CF-A0D4-4C81-B20C-1785A1361730} - C:\WINDOWS\system32\wttetnbx.dll
O2 - BHO: (no name) - {E34411DB-025F-4372-9348-BC88E5BC16A4} - C:\WINDOWS\system32\wttetnbx.dll
O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

Make sure all browser and all Windows Explorer windows are closed and select "Fix checked". Exit Hijack This


Now go to Add/Remove Programs and uninstall the following: ( If listed )

WinAntiVirus Pro 2006


Now Hold Down The Windows Key + E to Open Windows Explorer,
Navigate to these Files/Folders then Right Click on and Delete this Bold Folder: ( If listed )

C:\Program Files\WinAntiVirus Pro 2006\


Then Go to Start > Run and Copy & Paste each line below "One at a time" into the open field clicking OK after each line:

sc stop FWSvc
sc delete FWSvc



Step 2

Go to : http://virusscan.jotti.org/

I would like you Copy & Paste this Full path

C:\WINDOWS\system32\wttetnbx.dll

into the address box and then select submit Please "Save these result's" from the Jotti scanner.

Can you please do the same for this file...

C:\WINDOWS\SYSTEM32\hpsdqjwl.dll

and again please "Save these result's" from Jotti


Re-Scan with Hijack This and post The new HijackThis log
& The Two jotti Result's

ourwilly. :thumbsup:

#7 tk1

tk1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 30 August 2006 - 10:51 AM

Below are the requested logs. BTW, I didn't see any type of "Save these results" option in Jotti, so I just did a copy&paste.

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:42:47 AM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/...installerAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129494395109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Jotti scan 1 results:
File: wttetnbx.dll

Status: INFECTED/MALWARE
MD5 4b402cb8de5dd788aad22f73f2b994a9
Packers detected: -
Scanner results
AntiVir Found Heuristic/Crypted (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.Hotbot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.cq
NOD32 Found nothing
Norman Virus Control Found W32/Virtumonde.gen10
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Jotti scan 2 results:
File: hpsdqjwl.dll

Status: INFECTED/MALWARE
MD5 b98f2229b678e39df58646d5bd904549
Packers detected: PE_PATCH.MORPHINE
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Malware.Agent.19 (probable variant)

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 31 August 2006 - 09:27 AM

Hello tk1

Copy and Paste this post into a new text document or print it for reference

Please Re-Scan with HijackThis and place a "checkmark" next to these entries:

O20 - Winlogon Notify: hpsdqjwl - C:\WINDOWS\SYSTEM32\hpsdqjwl.dll

Make sure all Windows Explorer windows are closed and select "Fix checked". Exit Hijack This


Hold Down The Windows Key + E to Open Windows Explorer,
Navigate to these Files/Folders then Right Click on and Delete these Bold Files:

C:\WINDOWS\system32\wttetnbx.dll
C:\WINDOWS\SYSTEM32\hpsdqjwl.dll


Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Re-scan with 'HijackThis' and post The new log,
and please let me know how your system is running now.

ourwilly :thumbsup:

#9 tk1

tk1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 31 August 2006 - 11:04 AM

I had some trouble deleting hpsdqjwl.dll but eventually got it done using the HJT "Delete on reboot" function, afterwhich HJT was able to delete the "020 - Winlogon Notify: hpsdqjwl..." entry. The other file deleted fine. I've cleaned out all the cache, cookies, temp files, etc. per your instructions, then ran HJK. The log is below. My system seems to be running great now; no problems. How's it look?

Logfile of HijackThis v1.99.1
Scan saved at 10:43:56 AM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whitedoveministries.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/...installerAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129494395109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 01 September 2006 - 09:35 AM

Hello tk1

That's great news and your "HijackThis log" is showing Clean of any malware,

As your system is running fine now then I recommend that you "Disable" and then "Re-Enable" your System Restore

And please "Bookmark" these Tutorials on how to stay safe:

So how did I get infected in the first place
Simple and easy ways to keep your computer safe and secure on the Internet

Thank you,
ourwilly. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users