Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Pc, Seriously Infected Almost Immediately


  • This topic is locked This topic is locked
16 replies to this topic

#1 John S.

John S.

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 07 December 2006 - 09:13 AM

I recently purchased a new Dell PC and shortly after going online with my new ISP (www.peoplepc.com – please don’t laugh, I’m still using dialup at home) became infected . . . getting popups I can’t block from www.amaena.com advertising malware as winantivirus, and other stuff I can’t identify. Browser windows open that I don’t want, and sometimes things lock up with my cursor being replaced by a red circle and slash.

I’ve updated XP with all the current critical updates from Microsoft (including IE7) and I’m using the security bundle the computer came with, Trend Micro PC-Cillin, also with the latest update. I’m using the firewall from PC-Cillin, not the one from Microsoft - supposedly, running two firewall programs simultaneously can cause conflicts.

I’ve since installed the free versions of WinPatrol10, AdAware SE, Spybot Search & Destroy, Panicware’s PopupStopper, and SpywareBlaster. 3.5.1.

Last night I ran scans with AdAware, and a window from Trend Micro popped up indicating that ADW AGENT.FST was infecting one of the RESTORE files, so running a regular windows restore probably isn’t an option.

Spybot S&D found some stuff, and seemingly removed everything except
SmitFraud-C.Toolbar888 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR].

I scanned with the BitTorrent online scanner, which picked up and deleted a LOT of junk.

For some reason, the Panda scanner wouldn’t run.

The Trend Micro scanner picked up & eliminated more trash.

McAfee Avert Stinger apparently didn’t find anything.

I cleared out the temp files and wastebasket, and ran through the cleaning procedures again, after which I created a HijackThis log, which I’ve posted below.

This AM, upon booting up the machine, I’m repeatedly getting a popup that says “No connection to the Intenet is currently available. To view internet contednt that has been saved on your computer, click Work Offline. Click again to attempt to connect” with buttons for “Work Offline” and “Try Again.”

WinPatrol indicates that an IE helper keeps trying to install – tuvvssq.dll – located at c:\windows\system32\tuvvssq.dll, but it doesn’t show up, even if I view hidden files.

The Dell supposedly has an option available during bootup to restore the system to it’s “original, as-shipped” condition (this is different than Microsoft Restore, I believe) and if the garbage infesting the PC is too deeply embedded, that’s an option . . . I’ve only installed things like Nero, Photoshop, Cadkey, etc., and a few games, so I won’t lose any critical data.

Help . . . Please!

Here’s the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:04 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\John S.\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162679734906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164337179816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 07 December 2006 - 01:57 PM

Hello John,

I am SifuMike and I will be helping you. :thumbsup:

Restart in Normal Mode and run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
Follow the Instruction on the F-Secure page for proper installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy and Paste the entire report in your next reply.

*************************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware 7.5

When done, submit the AVG Anti-Spyware 7.5 log, F-Secure Online Scanner log , a  fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 08 December 2006 - 01:14 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 07 December 2006 - 08:39 PM

Hello, SifuMike.

I was unable to download the F-Secure Online Scanner . . . constant popups to unwanted websites advertising antivirus products, little boxes that said "C++ runtime error" etc., and constant warnings from WinPatrol that browser helpers (tuvvssq.dll, utuapegy.dll, kvpxcvsf.dll, etc.) were being installed along with a lot of Trend Micro PC-Cillin memos that various virii (troj dloader.ezx and others) were being detected and either quarantined . . . or not.

I DID download both ATF Cleaner and AVG Anti-Spyware at work, brought them home via thumb drive, and applied them per your detailed instructions . . . I have both MSIE7 and Firefox2.0 available, so I used ATF Cleaner on both.

Here's the AVG Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:40:45 PM 12/7/2006

+ Scan result:



C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0006719.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007795.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\tuvvssq.dll -> Adware.Virtumonde : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
HKU\S-1-5-21-1899111178-1272748120-4129085792-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007796.exe -> Downloader.Zlob.axt : No action taken.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : No action taken.
:mozilla.59:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.26:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Liveperson : No action taken.
C:\WINDOWS\system32\wincpj32.dll -> Trojan.Agent.vg : No action taken.
C:\WINDOWS\system32\fbawmsvw.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\gabyjorn.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\gagkkkxn.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\isndwmmc.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\iyjyhysi.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\utuapegy.dll -> Trojan.BHO.g : No action taken.


::Report end


Here's the fresh hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:54 PM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John S.\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162679734906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164337179816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

*******************************

I haven't done any other scans or attempted any other repairs.

The computer is still balky, I'm getting unwanted popups and ads for winantiviruspro . . . though it may not be quite as bad as before.

I guess I'm well and thoroughly infected, eh? :thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 07 December 2006 - 09:40 PM

Hi John,

I guess I'm well and thoroughly infected, eh?

Yes, this computer is quite a mess. :thumbsup:

:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0006719.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007795.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\tuvvssq.dll -> Adware.Virtumonde : No action taken.


I looks like you did not quarentine the malware the AVG antispyware found. :flowers:

Run it again, in the Safe Mode, and quarentine everything it finds. Refer to my previous directions on who to run it. Then post the AVG antispyware log.



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Edited by SifuMike, 08 December 2006 - 01:12 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 07 December 2006 - 11:44 PM

Hello, SifuMike.

I tried F-Protect, and this time it ran, though a 20MB download on dialup wasn't fun. I had another IE window open when I went there (count.exitexchange.com/exit/1281705, an ad for Dish Network) and at one point another ad, this one for "ww.smableeps.com" (leading "ww" not "www) came up over the small F-protect run window. When I went to "show report" IE closed completely.

I then ran ATF Cleaner again, and ran AVG Anti-Spyware from safe mode - I made sure it was set to "quarantine" this time, but it looks like "no action taken" still came up across the board????

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:53:59 PM 12/7/2006

+ Scan result:



C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0006719.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007795.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\tuvvssq.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\yaywwvu.dll -> Adware.Virtumonde : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
HKU\S-1-5-21-1899111178-1272748120-4129085792-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007796.exe -> Downloader.Zlob.axt : No action taken.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : No action taken.
:mozilla.59:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.26:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Liveperson : No action taken.
C:\WINDOWS\system32\wincpj32.dll -> Trojan.Agent.vg : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007907.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007908.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007909.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007910.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007911.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007912.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\FBAWMSVW.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\GABYJORN.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\GAGKKKXN.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\ISNDWMMC.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\IYJYHYSI.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\KVPXCVSF.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\LXVECVFU.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\MHVPEFJU.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\UTUAPEGY.0LL -> Trojan.BHO.g : No action taken.


::Report end

Ran VundoFix with the following report:
******************************************
VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:57:31 PM 12/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\wincpj32.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\wincpj32.dll
C:\WINDOWS\system32\wincpj32.dll Has been deleted!

Performing Repairs to the registry.
Done!

New HijackThis log:
*************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:02:57 PM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John S.\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\tuvvssq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AA6EF2A9-5429-4B50-B9E5-785F126A6C74} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162679734906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164337179816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: tuvvssq - C:\WINDOWS\SYSTEM32\tuvvssq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

************************************************

Initial reboot went well - no prompting that I was offline, no warning from WinPatrol, and when I went online to post this, the tabbing function on IE7 worked again . . . but then "something" downloaded to my machine, I got ads for winantivirus pro, WinPatrol indicated a browser helper "ddayx.dll" was trying to install itself, and PC-Cillin quarantined a bunch of things in the temp file.

Hope all this makes more sense to you than it does to me.

Thanks . . .

Edited by John S., 07 December 2006 - 11:48 PM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 08 December 2006 - 12:46 AM

Hi John,

Very good :flowers:

A lot of Vundo infected files are eliminated.



c:\WINDOWS\system32\FBAWMSVW.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\GABYJORN.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\GAGKKKXN.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\ISNDWMMC.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\IYJYHYSI.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\KVPXCVSF.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\LXVECVFU.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\MHVPEFJU.0LL -> Trojan.BHO.g : No action taken.
C:\WINDOWS\system32\UTUAPEGY.0LL -> Trojan.BHO.g : No action taken.


Are you sure you are in the Safe Mode when running AVG antispyware? It will not remove all the malware when run in the normal mode.
For some reason you have picked "no action taken" when AVG antispyware found the bad stuff for you. :thumbsup:
Please open AVG antispyware. Click on settings, click Apply all actions, then select clean (quarantine). Then run AVG antispyware again and post the log.
Let me know how it's running now. :huh:

*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\tuvvssq.dll
O2 - BHO: (no name) - {AA6EF2A9-5429-4B50-B9E5-785F126A6C74} - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: tuvvssq - C:\WINDOWS\SYSTEM32\tuvvssq.dll


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM32\tuvvssq.dll <==file
C:\WINDOWS\system32\yaywwvu.dll <==file

Note: these files were listed previously by AVG Antispyware. If it did NOT quarentine all of them when you ran it, the I want you to delete them. If it quarentined them successfully, then bypass deleting them.
C:\WINDOWS\system32\FBAWMSVW.0LL <==file
C:\WINDOWS\system32\GABYJORN.0LL <==file
C:\WINDOWS\system32\GAGKKKXN.0LL <==file
C:\WINDOWS\system32\ISNDWMMC.0LL <==file
C:\WINDOWS\system32\IYJYHYSI.0LL <==file
C:\WINDOWS\system32\KVPXCVSF.0LL <==file
C:\WINDOWS\system32\LXVECVFU.0LL <==file
C:\WINDOWS\system32\MHVPEFJU.0LL <==file
C:\WINDOWS\system32\UTUAPEGY.0LL <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!


reboot to the Normal Mode

****************************

Run VundoFix again. I will need to see the log it produces.

****************************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.



****************************

Post the VundoFix log, the ComboFix log, a fresh Hijackthis log and tell me how your computer is running. Be careful you post the second VundoFix txt log and not the one from the first run of it.

Edited by SifuMike, 08 December 2006 - 11:52 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 08 December 2006 - 09:20 AM

SifuMike

My face is red . . . I WAS in "Safe Mode" and I was going to post the screen capture (link below) to show that various items were "quarantined" or "deleted" . . . but now as I'm looking at it, I think I may have neglected to push "Apply All Actions" and went directly to "Save Log" . . . no excuse other than brain freeze. :thumbsup:

http://i72.photobucket.com/albums/i184/sky...reenCapture.jpg

I'll run through the procedure again when I get home.

BTW, I see that in additon to "Quarantine" that "Delete" is an option . . . any particular reason not to use the latter?

(Don't worry, I won't go off experimenting on my own . . . I'll follow YOUR recommendations!)

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 08 December 2006 - 11:43 AM

Hi John,

BTW, I see that in additon to "Quarantine" that "Delete" is an option . . . any particular reason not to use the latter?


We quarantine the files in case they are a good file and needed later.
If the file is in quarentine, then you can bring it back.
The tracking cookies you can delete if you wish, as they are not important.
Once you delete a file, it is gone. So we have you select quarentine. Usually leave all items in quarentine for several weeks (until you know everyone works OK), then you can delete the files out of quarentine.

(Don't worry, I won't go off experimenting on my own . . . I'll follow YOUR recommendations!)


Great! :thumbsup:

Edited by SifuMike, 08 December 2006 - 11:48 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 08 December 2006 - 11:20 PM

SifuMike,

Looks like we're making some progress. This time I ran AVG properly and applied the actions. Here's the log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:06 06-12-08

+ Scan result:



C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0006719.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007795.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0008070.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0008071.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKU\S-1-5-21-1899111178-1272748120-4129085792-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0007796.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.26:C:\Documents and Settings\John S.\Application Data\Mozilla\Firefox\Profiles\n6ttl6bp.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007947.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\wincpj32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007907.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007908.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007909.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007910.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007911.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP42\A0007912.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\FBAWMSVW.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\GABYJORN.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\GAGKKKXN.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ISNDWMMC.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\IYJYHYSI.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\KVPXCVSF.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\LXVECVFU.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MHVPEFJU.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\UTUAPEGY.0LL -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end

I couldn't find the files you mentioned to manually delete them - it looks like AVG took care of them once I did my part.

Ran crap cleaner, then VundoFix again . . . WinPatrol recognized the "ddayx.dll" vundo as a browser helper, but had a problem removing it. It seems to be gone now.

Note that VundoFix simply appended the new log to the old log - I wasn't expecting that!



VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:57:31 PM 12/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\wincpj32.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\wincpj32.dll
C:\WINDOWS\system32\wincpj32.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 19:39:43 06-12-08

Listing files found while scanning....

C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\xyadd.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\xyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\xyadd.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Here's the ComboFix log:

John S. - 06-12-08 19:53:48.75 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\John S.\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 19:35 <DIR> dr-h----- C:\Documents and Settings\John S.\Recent
2006-12-08 17:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-07 18:53 72,704 --a------ C:\WINDOWS\system32\drvlav.dll
2006-12-07 17:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 17:33 <DIR> d-------- C:\Program Files\Grisoft
2006-12-06 18:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-06 17:11 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-06 16:57 72,704 --a------ C:\WINDOWS\system32\drvjen.dll
2006-12-04 21:36 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\Mozilla
2006-12-04 21:35 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-04 18:19 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\Lavasoft
2006-12-04 18:08 <DIR> d-------- C:\VundoFix Backups
2006-12-04 18:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-04 18:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-04 18:07 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-04 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-01 19:05 <DIR> d-------- C:\Program Files\BillP Studios
2006-12-01 19:05 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\WinPatrol
2006-11-23 20:13 <DIR> d-------- C:\Program Files\Panicware
2006-11-23 11:55 <DIR> d-------- C:\Downloads
2006-11-22 20:08 <DIR> d-------- C:\Program Files\THQ
2006-11-22 16:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-22 16:05 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\ScamGuard
2006-11-22 16:02 <DIR> d-------- C:\WINDOWS\peoplepc
2006-11-22 16:01 <DIR> d-------- C:\Program Files\PeoplePC Accelerated
2006-11-22 15:56 67,584 --------- C:\WINDOWS\system32\unPPC.exe
2006-11-22 15:56 63,488 --------- C:\WINDOWS\system32\unPPC6000.exe
2006-11-22 15:56 45,056 --------- C:\WINDOWS\system32\ppcwebi.dll
2006-11-22 15:56 37,888 --------- C:\WINDOWS\system32\PPCOUNIN.exe
2006-11-22 15:56 28,672 --------- C:\WINDOWS\system32\RegHero.exe
2006-11-22 15:56 18,432 --------- C:\WINDOWS\system32\PPCInfo.exe
2006-11-22 15:56 10,752 --------- C:\WINDOWS\system32\PopWait.exe
2006-11-22 15:56 <DIR> d-------- C:\Program Files\PeoplePC
2006-11-21 18:18 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-21 18:18 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-21 18:18 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-21 18:17 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-18 18:08 <DIR> d-------- C:\Program Files\directx
2006-11-12 17:47 <DIR> d-------- C:\Program Files\Activision
2006-11-12 17:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-11-12 16:46 110,612 --a------ C:\WINDOWS\system32\chacdvsw.exe
2006-11-11 10:27 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-10 20:03 <DIR> d-------- C:\Program Files\Stardock
2006-11-09 20:47 <DIR> d-------- C:\WINDOWS\Sun
2006-11-09 20:47 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\Sun


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 21:00 -------- d-------- C:\Program Files\Internet Explorer
2006-12-02 22:02 -------- d-------- C:\Program Files\WildTangent
2006-12-02 20:37 -------- d---s---- C:\Documents and Settings\John S.\Application Data\Microsoft
2006-12-02 18:23 5120 --a------ C:\Documents and Settings\John S.\Application Data\dvd.bmk
2006-12-01 18:23 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-01 18:23 -------- d-------- C:\Documents and Settings\John S.\Application Data\Adobe
2006-12-01 18:00 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-11-26 21:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-26 21:13 -------- d-------- C:\Program Files\Microsoft Games
2006-11-12 18:07 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-06 21:09 110612 --a------ C:\WINDOWS\system32\vfvgmcni.exe
2006-11-06 21:08 110612 --a------ C:\WINDOWS\system32\ppetppff.exe
2006-11-05 19:42 110612 --a------ C:\WINDOWS\system32\sghmqdol.exe
2006-11-05 19:25 -------- d-------- C:\Program Files\Windows Media Player
2006-11-05 16:11 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-05 16:09 -------- d-------- C:\Program Files\AGEIA Technologies
2006-11-05 15:59 -------- d-------- C:\Program Files\Ubisoft
2006-11-05 08:59 -------- d-------- C:\Program Files\Norton Ghost
2006-11-05 07:43 -------- d-------- C:\Program Files\America Online 9.0
2006-11-04 20:18 -------- d-------- C:\Documents and Settings\John S.\Application Data\Ahead
2006-11-04 19:59 -------- d-------- C:\Program Files\Ahead
2006-11-04 19:55 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 19:55 -------- d-------- C:\Program Files\Common Files
2006-11-04 19:41 110612 --a------ C:\WINDOWS\system32\mlcttdur.exe
2006-11-04 18:51 -------- d-------- C:\Documents and Settings\John S.\Application Data\Sonic
2006-11-04 17:24 -------- d-------- C:\Program Files\Adobe
2006-11-04 16:26 -------- d-------- C:\Documents and Settings\John S.\Application Data\Google
2006-11-04 16:03 -------- d-------- C:\Documents and Settings\John S.\Application Data\Symantec
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:13 -------- d-------- C:\Documents and Settings\John S.\Application Data\Macromedia
2006-11-04 14:10 -------- d-------- C:\Program Files\Google
2006-11-04 14:00 -------- d-------- C:\Program Files\Modem Helper
2006-11-02 20:34 -------- d-------- C:\Documents and Settings\John S.\Application Data\Leadertech
2006-11-02 20:22 -------- d-------- C:\Program Files\Common Files\System
2006-11-02 20:22 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-02 20:21 -------- d-------- C:\Program Files\Microsoft Office
2006-11-02 20:21 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-02 20:21 -------- d-------- C:\Documents and Settings\John S.\Application Data\Microsoft Web Folders
2006-11-01 12:05 -------- d-------- C:\Program Files\Dell
2006-11-01 12:04 -------- d-------- C:\Program Files\EarthLink Setup
2006-11-01 12:03 -------- d--h----- C:\Documents and Settings\John S.\Application Data\Gtek
2006-11-01 12:03 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-01 12:03 -------- d-------- C:\Program Files\Dell Support
2006-11-01 12:03 -------- d-------- C:\Program Files\Common Files\L&H
2006-11-01 12:02 -------- d-------- C:\Program Files\Microsoft.NET
2006-11-01 12:02 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-11-01 12:02 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-11-01 12:01 -------- d-------- C:\Program Files\Yahoo!
2006-11-01 12:01 -------- d-------- C:\Program Files\Microsoft Works
2006-11-01 12:01 -------- d-------- C:\Program Files\illiminable
2006-11-01 12:01 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-11-01 12:01 -------- d-------- C:\Documents and Settings\John S.\Application Data\InstallShield
2006-11-01 11:59 -------- d-------- C:\Program Files\Sonic
2006-11-01 11:59 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-11-01 11:59 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-01 11:59 -------- d-------- C:\Program Files\BAE
2006-11-01 11:58 -------- d-------- C:\Program Files\Roxio
2006-11-01 11:58 -------- d-------- C:\Program Files\Common Files\TiVo Shared
2006-11-01 11:58 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-01 11:57 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-01 11:57 -------- d-------- C:\Program Files\Trend Micro
2006-11-01 11:57 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-01 11:56 -------- d-------- C:\Program Files\Symantec
2006-11-01 11:55 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-01 11:55 -------- d-------- C:\Program Files\Viewpoint
2006-11-01 11:55 -------- d-------- C:\Program Files\Real
2006-11-01 11:55 -------- d-------- C:\Program Files\QuickTime
2006-11-01 11:55 -------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-11-01 11:55 -------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-11-01 11:55 -------- d-------- C:\Program Files\Learn2.com
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\Real
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-01 11:55 -------- d-------- C:\Program Files\AOL Companion
2006-11-01 11:54 -------- d-------- C:\Program Files\NetZeroInstallers
2006-11-01 11:54 -------- d-------- C:\Program Files\MUSICMATCH
2006-11-01 11:54 -------- d-------- C:\Program Files\Corel
2006-11-01 11:54 -------- d-------- C:\Program Files\Common Files\Corel
2006-11-01 11:53 -------- d-------- C:\Program Files\NetWaiting
2006-11-01 11:52 -------- d-------- C:\Program Files\InterActual
2006-11-01 11:52 -------- d-------- C:\Program Files\Intel
2006-11-01 11:52 -------- d-------- C:\Program Files\Digital Line Detect
2006-11-01 11:49 -------- d-------- C:\Program Files\Sigmatel
2006-11-01 11:49 -------- d-------- C:\Program Files\Outlook Express
2006-11-01 11:47 -------- d-------- C:\Program Files\Messenger
2006-11-01 11:47 -------- d-------- C:\Program Files\Java
2006-11-01 11:47 -------- d-------- C:\Program Files\Common Files\Java
2006-11-01 11:36 -------- d-------- C:\Program Files\CONEXANT
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"DellHelp"="C:\\Dell\\DellHelp\\DellHelp.exe /c"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"Bart Station"="C:\\Program Files\\PeoplePC\\ISP6300\\BIN\\PPCOLink.exe -STATION"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,fc,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-08 19:54:04.57
C:\ComboFix.txt ... 06-12-08 19:54
C:\ComboFix2.txt ... 06-12-08 19:50

And finally a new HijackThis log - I note that at "020 Winlogon Notify . . . " referencing ddayx.dll, it indicates a file is missing . . . I'm assuming that's good in this case.

Logfile of HijackThis v1.99.1
Scan saved at 8:02:06 PM, on 12/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\Documents and Settings\John J. Simbal\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AA6EF2A9-5429-4B50-B9E5-785F126A6C74} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162679734906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164337179816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Before posting this, I did change the security settings on the TrendMicro firewall to "high security" rather than the recommended "medium" and made sure IE7 was configured per the recommendations at bleepingcomputer.com . . . the only popup I've seen so far is a firewall notice that a Dell support program was trying to make an outbound connection . . . probably harmless, but I blocked it . . . we dialup users have to conserve bandwidth! Still, I do believe things are looking up! :thumbsup:

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 09 December 2006 - 12:11 AM

Hi John,

I dont think you will see any more popups, as we have broken Vundo's back. :thumbsup:

************************

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system32\drvlav.dll to the upload and scan it.

Then repeat the scan above with these files
C:\WINDOWS\system32\drvjen.dll
C:\WINDOWS\system32\vfvgmcni.exe
C:\WINDOWS\system32\ppetppff.exe
C:\WINDOWS\system32\sghmqdol.exe


Let me know the results.
Copy and paste the outputs to this thread.

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


************************

Please double-click on My Computer and locate the file " C:\WINDOWS\system32\drvlav.dll". 
Right-click on it and choose "Properties", then click on the "Version" tab at the top. 
Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Then do the same with these files:
C:\WINDOWS\system32\drvjen.dll
C:\WINDOWS\system32\vfvgmcni.exe
C:\WINDOWS\system32\ppetppff.exe
C:\WINDOWS\system32\sghmqdol.exe


Be sure to post the results.

************************

Time to kill some leftover malware. :flowers:

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O2 - BHO: (no name) - {AA6EF2A9-5429-4B50-B9E5-785F126A6C74} - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)


Run CCleaner to empty the temp files.

Reboot, post the results of the Jotti Online Scans, the file properties, a fresh Hijackthis and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 December 2006 - 06:44 PM

SifuMike,

Here are the results of the jotti scans:


File: drvlav.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2fa00ecf4a132a2d0842ad4c33b72bed
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
AntiVir Found SecurityPrivacyRisk/Dldr.WinFi.O.71 riskware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.FakeAlert.S
ClamAV Found nothing
Dr.Web Found Trojan.Fakealert
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Hoax.Renos.NAJ application
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: drvjen.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2fa00ecf4a132a2d0842ad4c33b72bed
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
AntiVir Found SecurityPrivacyRisk/Dldr.WinFi.O.71 riskware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.FakeAlert.S
ClamAV Found nothing
Dr.Web Found Trojan.Fakealert
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Hoax.Renos.NAJ application
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: vfvgmcni.exe
Status: INFECTED/MALWARE
MD5 947ae1a7fb12cf058c6938ab4c0c3a5b
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/VSAddinDLL.A adware
ArcaVir Found Adware.Agent.At
Avast Found nothing
AVG Antivirus Found Generic.RUQ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.SearchColours
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at
NOD32 Found Win32/Adware.Toolbar.SearchColours application
Norman Virus Control Found W32/Virtumonde.SR
VirusBuster Found Adware.SearchColors.A
VBA32 Found AdWare.Win32.Searchcolor.a


File: ppetppff.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 947ae1a7fb12cf058c6938ab4c0c3a5b
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/VSAddinDLL.A adware
ArcaVir Found Adware.Agent.At
Avast Found nothing
AVG Antivirus Found Generic.RUQ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.SearchColours
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at
NOD32 Found Win32/Adware.Toolbar.SearchColours application
Norman Virus Control Found W32/Virtumonde.SR
VirusBuster Found Adware.SearchColors.A
VBA32 Found AdWare.Win32.Searchcolor.a


File: sghmqdol.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 947ae1a7fb12cf058c6938ab4c0c3a5b
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/VSAddinDLL.A adware
ArcaVir Found Adware.Agent.At
Avast Found nothing
AVG Antivirus Found Generic.RUQ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.SearchColours
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at
NOD32 Found Win32/Adware.Toolbar.SearchColours application
Norman Virus Control Found W32/Virtumonde.SR
VirusBuster Found Adware.SearchColors.A
VBA32 Found AdWare.Win32.Searchcolor.a


When I try to look the "PROPERTIES" of these files, I don't get a "version" tab at all in the popup window - I tried this on a few legitimate files, and I DID get the version tab, along with access to the other info, so I guess that's another indication that these files are illegitimate.

drvlav.dll PROPERTIES

Only available tabs are "General" "Virus Property" and "Summary"

Type of file: Application Extension
Opens With: Unknown Application
Location: C:\WINDOWS\system32
Size: 71.0 KB (72,704 bytes)
Size on disk: 72.0 KB (73,728 bytes)

Created: Thursday, December 07, 2006, 6:53:43 PM
Modified: Today, December 09, 2006, 4:18:59 PM
Accessed: Today, December 09, 2006, 4:18:59 PM

drvjen.dll PROPERTIES

Only available tabs are "General" "Virus Property" and "Summary"

Type of file: Application Extension
Opens With: Unknown Application
Location: C:\WINDOWS\system32
Size: 71.0 KB (72,704 bytes)
Size on disk: 72.0 KB (73,728 bytes)

Created: Wednesday, December 06, 2006, 4:57:57 PM
Modified: Wednesday, December 06, 2006, 4:57:56 PM
Accessed: Today, December 09, 2006, 4:19:34 PM

vfvgmcni.exe PROPERTIES

Only available tabs are "General" "Compatibility" "Virus Property" and "Summary"

Type of file: Application
Description: vfvgmcni
Location: C:\WINDOWS\system32
Size: 108 KB (110,612 bytes)
Size on disk: 112 KB (114,688 bytes

Created: Monday, November 06, 2006, 9:08:52 PM
Modified: Monday, November 06, 2006, 9:09:09 PM
Accessed: Today, December 09, 2006, 4:44:33 PM


vfvgmcni.exe PROPERTIES

Only available tabs are "General" "Compatibility" "Virus Property" and "Summary"

Type of file: Application
Description: vfvgmcni
Location: C:\WINDOWS\system32
Size: 108 KB (110,612 bytes)
Size on disk: 112 KB (114,688 bytes

Created: Monday, November 06, 2006, 9:08:52 PM
Modified: Monday, November 06, 2006, 9:09:09 PM
Accessed: Today, December 09, 2006, 4:44:33 PM

ppetppff.exe PROPERTIES

Only available tabs are "General" "Compatibility" "Virus Property" and "Summary"

Type of file: Application
Description: ppetppff
Location: C:\WINDOWS\system32
Size: 108 KB (110,612 bytes)
Size on disk: 112 KB (114,688 bytes)

Created: Monday, November 06, 2006, 9:08:18 PM
Modified: Monday, November 06, 2006, 9:08:35 PM
Accessed: Today, December 09, 2006, 4:47:50 PM


sghmqdol.exe PROPERTIES

Only available tabs are "General" "Compatibility" "Virus Property" and "Summary"

Type of file: Application
Description: sghmqdol
Location: C:\WINDOWS\system32
Size: 108 KB (110,612 bytes)
Size on disk: 112 KB (114,688 bytes)

Created: Sunday, November 05, 2006, 7:41:56 PM
Modified: Sunday, November 05, 2006, 7:42:13 PM
Accessed: Today, December 09, 2006, 4:49:54 PM


I noticed similarites in these files (size) and just by eyeballing the folder contents saw a couple more suspicious files in the c:\WINDOWS\system32 folder - I took the liberty of scanning these with jotti:

File: chacdvsw.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 947ae1a7fb12cf058c6938ab4c0c3a5b
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/VSAddinDLL.A adware
ArcaVir Found Adware.Agent.At
Avast Found nothing
AVG Antivirus Found Generic.RUQ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.SearchColours
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at
NOD32 Found Win32/Adware.Toolbar.SearchColours application
Norman Virus Control Found W32/Virtumonde.SR
VirusBuster Found Adware.SearchColors.A
VBA32 Found AdWare.Win32.Searchcolor.

File: mlcttdur.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 947ae1a7fb12cf058c6938ab4c0c3a5b
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/VSAddinDLL.A adware
ArcaVir Found Adware.Agent.At
Avast Found nothing
AVG Antivirus Found Generic.RUQ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.SearchColours
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.at
NOD32 Found Win32/Adware.Toolbar.SearchColours application
Norman Virus Control Found W32/Virtumonde.SR
VirusBuster Found Adware.SearchColors.A
VBA32 Found AdWare.Win32.Searchcolor.a


Looks like some malware was installed repeatedly with randomized names . . .

I then killed the 02 and 020 files with HijackThis in normal mode, rebooted to safe mode and ran ccleaner, and then rebooted to normal mode again, generating the following HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 5:26:14 PM, on 12/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John S.\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162679734906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164337179816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

The computer seems to be running normally . . . I did a little web surfing, read some email (I had to grant explicit cookie access to the specific websites - mail.yahoo.com and peoplepc.com - where I have email accounts in order to sign in) and got NO unwanted popups, no WinAntivirusPro ads, or anything of the sort - I only saw what I wanted to, and nothing noticeably slowed down the system by downloading in the background . . . at least, as far as I know.

Progress IS being made, and I think I'm learning a bit in the process.
:thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 09 December 2006 - 07:01 PM

Hi John,


Your Hijackthis log looks clean, but we need to get rid of those malware files. :thumbsup:

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\drvlav.dll <==file
C:\WINDOWS\system32\drvjen.dll <==file
C:\WINDOWS\system32\vfvgmcni.exe <==file
C:\WINDOWS\system32\ppetppff.exe <==file
C:\WINDOWS\system32\sghmqdol.exe <==file
c:\WINDOWS\system32\chacdvsw.exe <==file
c:\WINDOWS\system32\mlcttdur.exe <==file

Run CCleaner to empty the temp files.

Reboot

***********************

Go here and run the online scan, allow it to delete whatever is found:Panda ActiveScan
Note: This Scanner is for Internet Explorer Only!
Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the contents of Panda scan, run ComboFix and post the ComboFix log.

Edited by SifuMike, 09 December 2006 - 07:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 December 2006 - 05:59 PM



SifuMike,

Here's what I did:

Booted into safe mode.

Manually deleted subject malware files without incident.

Ran CCleaner without incident.

Ran Panda Active Scan - to my admittedly inexperienced eye, it apparently found only a "test" virus which seems to be part of the TrendMicro PC-Cillin bundle that Dell shipped the computer with.

Here's the Panda log:



Incident Status Location

Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]

Rebooted to normal mode, ran ComboFix . . . here's the log:

John S. - 06-12-10 16:23:30.37 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\John S.\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))


2006-12-10 16:20 <DIR> dr-h----- C:\Documents and Settings\John S.\Recent
2006-12-08 17:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-07 17:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 17:33 <DIR> d-------- C:\Program Files\Grisoft
2006-12-06 18:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-06 17:11 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-04 21:36 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\Mozilla
2006-12-04 21:35 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-04 18:19 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\Lavasoft
2006-12-04 18:08 <DIR> d-------- C:\VundoFix Backups
2006-12-04 18:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-04 18:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-04 18:07 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-04 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-01 19:05 <DIR> d-------- C:\Program Files\BillP Studios
2006-12-01 19:05 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\WinPatrol
2006-11-23 20:13 <DIR> d-------- C:\Program Files\Panicware
2006-11-23 11:55 <DIR> d-------- C:\Downloads
2006-11-22 20:08 <DIR> d-------- C:\Program Files\THQ
2006-11-22 16:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-22 16:05 <DIR> d-------- C:\Documents and Settings\John S.\Application Data\ScamGuard
2006-11-22 16:02 <DIR> d-------- C:\WINDOWS\peoplepc
2006-11-22 16:01 <DIR> d-------- C:\Program Files\PeoplePC Accelerated
2006-11-22 15:56 67,584 --------- C:\WINDOWS\system32\unPPC.exe
2006-11-22 15:56 63,488 --------- C:\WINDOWS\system32\unPPC6000.exe
2006-11-22 15:56 45,056 --------- C:\WINDOWS\system32\ppcwebi.dll
2006-11-22 15:56 37,888 --------- C:\WINDOWS\system32\PPCOUNIN.exe
2006-11-22 15:56 28,672 --------- C:\WINDOWS\system32\RegHero.exe
2006-11-22 15:56 18,432 --------- C:\WINDOWS\system32\PPCInfo.exe
2006-11-22 15:56 10,752 --------- C:\WINDOWS\system32\PopWait.exe
2006-11-22 15:56 <DIR> d-------- C:\Program Files\PeoplePC
2006-11-21 18:18 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-21 18:18 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-21 18:18 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-21 18:17 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-18 18:08 <DIR> d-------- C:\Program Files\directx
2006-11-12 17:47 <DIR> d-------- C:\Program Files\Activision
2006-11-12 17:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-11-11 10:27 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-10 20:03 <DIR> d-------- C:\Program Files\Stardock


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-10 16:07 -------- d-------- C:\Program Files\QuickTime
2006-12-10 16:07 -------- d-------- C:\Program Files\Norton Ghost
2006-12-10 16:04 -------- d-------- C:\Program Files\Internet Explorer
2006-12-10 16:03 -------- d-------- C:\Program Files\Google
2006-12-10 16:03 -------- d-------- C:\Program Files\Digital Line Detect
2006-12-10 16:03 -------- d-------- C:\Program Files\Dell Support
2006-12-10 16:03 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-10 16:02 -------- d-------- C:\Program Files\BAE
2006-12-10 16:02 -------- d-------- C:\Program Files\AGEIA Technologies
2006-12-08 22:36 -------- d---s---- C:\Documents and Settings\John S.\Application Data\Microsoft
2006-12-02 22:02 -------- d-------- C:\Program Files\WildTangent
2006-12-02 18:23 5120 --a------ C:\Documents and Settings\John S.\Application Data\dvd.bmk
2006-12-01 18:23 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-01 18:23 -------- d-------- C:\Documents and Settings\John S.\Application Data\Adobe
2006-12-01 18:00 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-11-26 21:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-26 21:13 -------- d-------- C:\Program Files\Microsoft Games
2006-11-12 18:07 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-09 20:47 -------- d-------- C:\Documents and Settings\John S.\Application Data\Sun
2006-11-05 19:25 -------- d-------- C:\Program Files\Windows Media Player
2006-11-05 16:11 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-05 15:59 -------- d-------- C:\Program Files\Ubisoft
2006-11-05 07:43 -------- d-------- C:\Program Files\America Online 9.0
2006-11-04 20:18 -------- d-------- C:\Documents and Settings\John S.\Application Data\Ahead
2006-11-04 19:59 -------- d-------- C:\Program Files\Ahead
2006-11-04 19:55 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 19:55 -------- d-------- C:\Program Files\Common Files
2006-11-04 18:51 -------- d-------- C:\Documents and Settings\John S.\Application Data\Sonic
2006-11-04 17:24 -------- d-------- C:\Program Files\Adobe
2006-11-04 16:26 -------- d-------- C:\Documents and Settings\John S.\Application Data\Google
2006-11-04 16:03 -------- d-------- C:\Documents and Settings\John S.\Application Data\Symantec
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:13 -------- d-------- C:\Documents and Settings\John S.\Application Data\Macromedia
2006-11-04 14:00 -------- d-------- C:\Program Files\Modem Helper
2006-11-02 20:34 -------- d-------- C:\Documents and Settings\John S.\Application Data\Leadertech
2006-11-02 20:22 -------- d-------- C:\Program Files\Common Files\System
2006-11-02 20:22 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-02 20:21 -------- d-------- C:\Program Files\Microsoft Office
2006-11-02 20:21 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-02 20:21 -------- d-------- C:\Documents and Settings\John S.\Application Data\Microsoft Web Folders
2006-11-01 12:05 -------- d-------- C:\Program Files\Dell
2006-11-01 12:04 -------- d-------- C:\Program Files\EarthLink Setup
2006-11-01 12:03 -------- d--h----- C:\Documents and Settings\John S.\Application Data\Gtek
2006-11-01 12:03 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-01 12:03 -------- d-------- C:\Program Files\Common Files\L&H
2006-11-01 12:02 -------- d-------- C:\Program Files\Microsoft.NET
2006-11-01 12:02 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-11-01 12:02 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-11-01 12:01 -------- d-------- C:\Program Files\Yahoo!
2006-11-01 12:01 -------- d-------- C:\Program Files\Microsoft Works
2006-11-01 12:01 -------- d-------- C:\Program Files\illiminable
2006-11-01 12:01 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-11-01 12:01 -------- d-------- C:\Documents and Settings\John S.\Application Data\InstallShield
2006-11-01 11:59 -------- d-------- C:\Program Files\Sonic
2006-11-01 11:59 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-11-01 11:59 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-01 11:58 -------- d-------- C:\Program Files\Roxio
2006-11-01 11:58 -------- d-------- C:\Program Files\Common Files\TiVo Shared
2006-11-01 11:58 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-01 11:57 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-01 11:57 -------- d-------- C:\Program Files\Trend Micro
2006-11-01 11:56 -------- d-------- C:\Program Files\Symantec
2006-11-01 11:55 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-01 11:55 -------- d-------- C:\Program Files\Viewpoint
2006-11-01 11:55 -------- d-------- C:\Program Files\Real
2006-11-01 11:55 -------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-11-01 11:55 -------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-11-01 11:55 -------- d-------- C:\Program Files\Learn2.com
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\Real
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-01 11:55 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-01 11:55 -------- d-------- C:\Program Files\AOL Companion
2006-11-01 11:54 -------- d-------- C:\Program Files\NetZeroInstallers
2006-11-01 11:54 -------- d-------- C:\Program Files\MUSICMATCH
2006-11-01 11:54 -------- d-------- C:\Program Files\Corel
2006-11-01 11:54 -------- d-------- C:\Program Files\Common Files\Corel
2006-11-01 11:53 -------- d-------- C:\Program Files\NetWaiting
2006-11-01 11:52 -------- d-------- C:\Program Files\InterActual
2006-11-01 11:52 -------- d-------- C:\Program Files\Intel
2006-11-01 11:49 -------- d-------- C:\Program Files\Sigmatel
2006-11-01 11:49 -------- d-------- C:\Program Files\Outlook Express
2006-11-01 11:47 -------- d-------- C:\Program Files\Messenger
2006-11-01 11:47 -------- d-------- C:\Program Files\Java
2006-11-01 11:47 -------- d-------- C:\Program Files\Common Files\Java
2006-11-01 11:36 -------- d-------- C:\Program Files\CONEXANT
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"DellHelp"="C:\\Dell\\DellHelp\\DellHelp.exe /c"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"Bart Station"="C:\\Program Files\\PeoplePC\\ISP6300\\BIN\\PPCOLink.exe -STATION"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,fc,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-10 16:23:50.20
C:\ComboFix.txt ... 06-12-10 16:23

I wouldn't even guess as to what ComboFix is showing . . . it's so much Greek to me.

Immediately after ComboFix ran, a window opened labeled "Recovery Point Browser" with the wording "Error ED80001: C:\ComboFix.txt is corrupt, because its size is not a valid image size." Then the recovery point browser opened a little task window to say "No recovery points found in any of the recovery point locations in this computer. Please choose another location to search for recovery points."

(BTW, instead of Notepad, it's the Recovery Point Browser that tries to open the file if I just click on a .txt file. Bad mapping somewhere?)

I just closed the recovery point browser . . . but I'm guessing the absence of recovery points is a good sign since recovering from a time the computer was infected would probably re-infect things, eh?


Otherwise, the computer seems to be running OK - no popups, no browser redirects, I'm not seeing lots of unexplained download activity when I take a look at the status window . . . I think I'm on my way to becoming a happy campter. :thumbsup:

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:59 AM

Posted 10 December 2006 - 06:48 PM

Hi John,

Your log looks clean! :thumbsup: Good job on the cleanup! :flowers:

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow [b]How did I get infected?, With steps so it does not happen again!

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 John S.

John S.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 12 December 2006 - 08:42 AM

SifuMike,

Well, I followed your last set of instructions, and all looks well . . . cleared the System Restore points, established a new backup with Norton Ghost (came with the PC), made sure the IE7 security settings were set per the recommendations in your link, made sure I have the latest security updates for Windows from the Windows Update site, I updated AdAware SE, Spybot S&D, Spywareblaster, PopupStopper, and TrendMicro PC-Cillin, and confirmed that the TrendMicro firewall was set to "high" security.

So I figure I'll use the computer in its current state for a week or so (keeping the above programs current!) and then report back . . . but in the meantime I'd like some advice . . .

I've read that it's generally a bad idea to run two firewalls or two antivirus products at the same time, so right now I've deactivated the Microsoft firewall and popup stoppers, and am just using the TrendMicro stuff.

I can install Symantic Anti-Virus 9.0.1 legitimately on my home PC thanks to a licensing agreement with my employer, and of course ZoneAlarm's free edition is pretty highly regarded. If you were in my shoes, would you stick with the Trend Micro firewall and antivirus, or would you go with the Symantic AV and ZoneAlarm . . . or something else entirely?

Thank you and best regards.

John S.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users