Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winantivirus Pro 2006 Popup/misc Popup Ads


  • Please log in to reply
11 replies to this topic

#1 sknebel

sknebel

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 10 March 2007 - 11:00 PM

When I open up my internet explorer I receive a WIN ANTI VIRUS PRO 2006 popup and then after closing that a few minutes later I will start receiving more MISC popups including ( "watch live TV", a popup about anti spy ware with a blue back ground, and "spyware Doctor" just to name a few). Sometimes I will open a window and have a in window ad for win anti virus pro that moves with the screen as I scroll down causing great grief. Thank You for your time. Let me know if you need any more information.


Logfile of HijackThis v1.99.1
Scan saved at 9:45:15 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Stewart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\oumpkpqk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 11 March 2007 - 04:54 AM

Welcome to BleepingComputer sknebel :thumbsup:

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

********************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

*******************************

Now please go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 sknebel

sknebel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 11 March 2007 - 02:20 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:17:25 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Stewart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0FC0F6BB-43B3-4306-88FA-D80D7675F80D} -

C:\WINDOWS\Fonts\untent.dll
O2 - BHO: (no name) - {6722BF3E-0BBC-438C-B524-2B724CCE6D9C} - (no file)
O2 - BHO: (no name) - {9C5B2D2E-035E-4F90-888E-5A7BCE2D7818} - (no file)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} -

C:\WINDOWS\system32\uysqkisr.dll
O2 - BHO: (no name) - {DFD5834A-BEC5-4458-99F2-A5F69EC12231} -

C:\WINDOWS\system32\nujmvoxh.dll
O2 - BHO: (no name) - {EB63912C-20E2-457E-8115-EF1421F0E480} - (no file)
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe

"C:\WINDOWS\system32\oumpkpqk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fcywt - C:\WINDOWS\
O20 - Winlogon Notify: untent - C:\WINDOWS\Fonts\untent.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 11 March 2007 - 02:34 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt,and a new Hijackthis log into your next reply please.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Posted Image

#5 sknebel

sknebel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 11 March 2007 - 03:42 PM

VundoFix V6.3.15

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 2:45:41 PM 3/11/2007

Listing files found while scanning....

C:\WINDOWS\Fonts\tnetnu.bak1
C:\WINDOWS\Fonts\tnetnu.bak2
C:\WINDOWS\Fonts\tnetnu.ini
C:\WINDOWS\Fonts\untent.dll
C:\WINDOWS\system32\ciilbjww.dll
C:\WINDOWS\system32\cnkqfusb.dll
C:\WINDOWS\system32\doncjpaa.dll
C:\WINDOWS\system32\fbtuawdn.dll
C:\WINDOWS\system32\gpxirbpv.ini
C:\WINDOWS\system32\gymirmvv.dll
C:\WINDOWS\system32\hfaiqvsw.dll
C:\WINDOWS\system32\hqoxipsw.exe
C:\WINDOWS\system32\ldkxkjad.dll
C:\WINDOWS\system32\nnslerrp.dll
C:\WINDOWS\system32\oxhawghm.dll
C:\WINDOWS\system32\setqsiqy.dll
C:\WINDOWS\system32\srmncvbm.dll
C:\WINDOWS\system32\thyyfigk.dll
C:\WINDOWS\system32\urtdurse.exe
C:\WINDOWS\system32\uysqkisr.dll
C:\WINDOWS\system32\vpbrixpg.dll
C:\WINDOWS\system32\wdmpjfeq.dll
C:\WINDOWS\system32\wkevvalu.dll
C:\WINDOWS\system32\wytqfxvk.dll
C:\WINDOWS\system32\yqisqtes.ini

Beginning removal...

Attempting to delete C:\WINDOWS\Fonts\tnetnu.bak1
C:\WINDOWS\Fonts\tnetnu.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Fonts\tnetnu.bak2
C:\WINDOWS\Fonts\tnetnu.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Fonts\tnetnu.ini
C:\WINDOWS\Fonts\tnetnu.ini Has been deleted!

Attempting to delete C:\WINDOWS\Fonts\untent.dll
C:\WINDOWS\Fonts\untent.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ciilbjww.dll
C:\WINDOWS\system32\ciilbjww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cnkqfusb.dll
C:\WINDOWS\system32\cnkqfusb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\doncjpaa.dll
C:\WINDOWS\system32\doncjpaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fbtuawdn.dll
C:\WINDOWS\system32\fbtuawdn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gpxirbpv.ini
C:\WINDOWS\system32\gpxirbpv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gymirmvv.dll
C:\WINDOWS\system32\gymirmvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hfaiqvsw.dll
C:\WINDOWS\system32\hfaiqvsw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hqoxipsw.exe
C:\WINDOWS\system32\hqoxipsw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ldkxkjad.dll
C:\WINDOWS\system32\ldkxkjad.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnslerrp.dll
C:\WINDOWS\system32\nnslerrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oxhawghm.dll
C:\WINDOWS\system32\oxhawghm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\setqsiqy.dll
C:\WINDOWS\system32\setqsiqy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\srmncvbm.dll
C:\WINDOWS\system32\srmncvbm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\thyyfigk.dll
C:\WINDOWS\system32\thyyfigk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urtdurse.exe
C:\WINDOWS\system32\urtdurse.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uysqkisr.dll
C:\WINDOWS\system32\uysqkisr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vpbrixpg.dll
C:\WINDOWS\system32\vpbrixpg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wkevvalu.dll
C:\WINDOWS\system32\wkevvalu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wytqfxvk.dll
C:\WINDOWS\system32\wytqfxvk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqisqtes.ini
C:\WINDOWS\system32\yqisqtes.ini Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 3:39:43 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Stewart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0FC0F6BB-43B3-4306-88FA-D80D7675F80D} -

C:\WINDOWS\Fonts\untent.dll (file missing)
O2 - BHO: (no name) - {6722BF3E-0BBC-438C-B524-2B724CCE6D9C} - (no file)
O2 - BHO: (no name) - {9C5B2D2E-035E-4F90-888E-5A7BCE2D7818} - (no file)
O2 - BHO: (no name) - {DFD5834A-BEC5-4458-99F2-A5F69EC12231} -

C:\WINDOWS\system32\nujmvoxh.dll
O2 - BHO: (no name) - {EB63912C-20E2-457E-8115-EF1421F0E480} - (no file)
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe

"C:\WINDOWS\system32\oumpkpqk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fcywt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 11 March 2007 - 03:55 PM

Download Killbox by Option^Explicit:
http://www.killbox.net/downloads/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\nujmvoxh.dll
C:\WINDOWS\system32\oumpkpqk.dll


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.


After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {0FC0F6BB-43B3-4306-88FA-D80D7675F80D} - C:\WINDOWS\Fonts\untent.dll (file missing)
O2 - BHO: (no name) - {6722BF3E-0BBC-438C-B524-2B724CCE6D9C} - (no file)
O2 - BHO: (no name) - {9C5B2D2E-035E-4F90-888E-5A7BCE2D7818} - (no file)
O2 - BHO: (no name) - {DFD5834A-BEC5-4458-99F2-A5F69EC12231} - C:\WINDOWS\system32\nujmvoxh.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: fcywt - C:\WINDOWS\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report,the Actions History Log from Killbox, and a new Hijackthis log into your next reply please.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 sknebel

sknebel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 11 March 2007 - 08:21 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:57:54 PM 3/11/2007

+ Scan result:



C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021407.exe -> Adware.Searchcolor : Cleaned.
C:\VundoFix Backups\hqoxipsw.exe.bad -> Adware.Searchcolor : Cleaned.
C:\WINDOWS\system32\vwbmngxg.exe -> Adware.Searchcolor : Cleaned.
C:\WINDOWS\system32\jceuattv.dll -> Adware.Winfixer : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\bjnxkhky.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\bsmhmtbo.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\dfljqvli.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\dguarcck.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\ejiuesfi.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\esatatvt.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\fduhbwnp.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\gifihmdf.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\gnplqbof.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\gsivehme.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\hxnxyqrh.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\rkpalmao.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\xggsxxfr.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\xmciymol.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\ydcjagay.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\ywqfygcs.dll -> Logger.Agent.ps : Cleaned.
C:\Documents and Settings\admin\Local Settings\Temp\ywuhlcjc.dll -> Logger.Agent.ps : Cleaned.
C:\WINDOWS\system32\kidmbsrd.dll -> Logger.Agent.ps : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021410.dll -> Logger.VBStat.e : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021417.dll -> Logger.VBStat.e : Cleaned.
C:\VundoFix Backups\oxhawghm.dll.bad -> Logger.VBStat.e : Cleaned.
C:\VundoFix Backups\wkevvalu.dll.bad -> Logger.VBStat.e : Cleaned.
C:\Documents and Settings\admin\Cookies\admin@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\admin\Cookies\admin@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP150\A0019547.dll -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP156\snapshot\MFEX-1.DAT -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP156\snapshot\MFEX-2.DAT -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP157\A0020919.dll -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP157\snapshot\MFEX-1.DAT -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP157\snapshot\MFEX-2.DAT -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP164\A0021350.dll -> Trojan.Agent.acl : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021401.dll -> Trojan.BHO.g : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021405.dll -> Trojan.BHO.g : Cleaned.
C:\System Volume Information\_restore{AF4EE328-815D-4A13-B7BE-EA714DCEBBB3}\RP166\A0021418.dll -> Trojan.BHO.g : Cleaned.
C:\VundoFix Backups\cnkqfusb.dll.bad -> Trojan.BHO.g : Cleaned.
C:\VundoFix Backups\gymirmvv.dll.bad -> Trojan.BHO.g : Cleaned.
C:\VundoFix Backups\wytqfxvk.dll.bad -> Trojan.BHO.g : Cleaned.


::Report end



Pocket Killbox version 2.0.0.881
Running on Windows XP as admin(Administrator)
was started @ Sunday, March 11, 2007, 4:05 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\nujmvoxh.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\oumpkpqk.dll


I Rebooted @ 4:08:24 PM
Killbox Closed(Exit) @ 4:08:31 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as admin(Administrator)
was started @ Sunday, March 11, 2007, 4:22 PM



Logfile of HijackThis v1.99.1
Scan saved at 8:16:19 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\HJT\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Stewart
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) -

{EB63912C-20E2-457E-8115-EF1421F0E480} - (no file)
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe

"C:\WINDOWS\system32\oumpkpqk.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs

/flash/swflash.cab
O18 - Protocol: livecall -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe



:thumbsup:
I haven't noticed any sign of any more popups as off now. Seems to be running good other than when I
boot up my computer I now get a message: ("RunDll" "Error loading C:\windows\system32\oumpkpqk.dll" "Specified moduale could not be found.") :flowers:

I will await for any more intructions. Thank you.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 11 March 2007 - 08:47 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {EB63912C-20E2-457E-8115-EF1421F0E480} - (no file)
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\oumpkpqk.dll",setvm

Exit Hijackthis.

*********************************

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if its checked.

Reboot,post a new Hijackthis log please.
Posted Image
Posted Image

#9 sknebel

sknebel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 11 March 2007 - 09:09 PM

:thumbsup:
Error message at bootup is gone and no sign of popups.


Logfile of HijackThis v1.99.1
Scan saved at 9:04:53 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\HJT\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Stewart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 11 March 2007 - 09:27 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Posted Image
Posted Image

#11 sknebel

sknebel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 12 March 2007 - 04:12 AM

Thank you for all of your help it is greatly appretiated. You do fine work. Should I now delete the tools that I downloaded to use with clean up?

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 12 March 2007 - 04:24 AM

Should I now delete the tools that I downloaded to use with clean up?

Yes indeed,by all means please do that if you wish :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users