Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started With Smitfraud.c Toolbar Infection And Multi Trojans


  • Please log in to reply
13 replies to this topic

#1 sailin

sailin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 13 March 2007 - 04:35 PM

I can't get over how how fast and how many things I got hit with - and I'm on a standard 56K dial-up connection. After a low level format and repartition (several formats actually) I did a clean install of Win 2KPro. I believe my mistake was going for all the Windows and IE updates before putting the security programs in place. The ONLY site I went to was microsoft update. Then began the security installs and updates - ZA, Spybot S&D, AdAware SE Plus, Spywareblaster, AVG. Spybot, AVG and AdAware all found issues and supposedly eliminated them but Spybot kept finding the Smitfraud.c Toolbar. Since I was unable to "validate" my account at the time, I followed the instructions given to "Trelane" on 3-11-07 since he also had a problem with Smitfraud and his setup was nearly identicle. I DL'd and ran (with hidden files showing and TeaTimer off) ResetTeaTimer, ATF Cleaner, SDFix, looked for mwvjnrxc.dll in safe mode (not found), ran SmitfraudFix (by S!R!) and VundoFix.
I should be clean at this point but apparently not. I still see items in the HJT log that I can't identify, some say "file missing" and one that sounds ominous "disabled by BHODemon". The computer still tries to dial out on occasion but I've set it so I have to hit the "connect" button first. I've posted the logs/reports below.
Not sure what to do at this point.
AAAARRRRGGGGGHHHH!!!! (please help)

*********************************************************
First HJT
log.....
Logfile of HijackThis v1.99.1
Scan saved at 6:49:16 PM, on 3/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - C:\WINNT\system32\cbxwv.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINNT\system32\ioghukeh.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (disabled by BHODemon)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - C:\WINNT\system32\wvuuusq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O20 - Winlogon Notify: cbxwv - C:\WINNT\system32\cbxwv.dll (file missing)
O20 - Winlogon Notify: efcyv - C:\WINNT\
O20 - Winlogon Notify: wvuuusq - C:\WINNT\SYSTEM32\wvuuusq.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINNT\system\system.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


*********************************************************


SDFix: Version 1.70

Run by Administrator - Sun 03/11/2007 / 22:20:09.11

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
SYSTEMSVC

Path:
"C:\WINNT\system\system.exe"

SYSTEMSVC Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\TFTP1044 - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINNT\system32\efcyaxy.dll
C:\WINNT\system32\fccbayy.dll
C:\WINNT\system32\fccddef.dll
C:\WINNT\system32\vtursro.dll
C:\WINNT\system32\wvuuusq.dll
C:\Documents and Settings\administrator\NTUSER.DAT.tmp.LOG
C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG

Finished


********************************************************


SmitFraudFix v2.148

Scan done at 22:42:49.89, Sun 03/11/2007
Run from C:\Documents and Settings\administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\administrator


C:\Documents and Settings\administrator\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End


************************************************************


Vundo did not creat a log/text file when it finished. It had a number of files listed, but after clicking on the "fix" button, a popup stated "Cannot inport C:\VundoFix.reg: Error opening the file. There may be a disk or file system error." All the files were apparently removed anyway except one --- C:\WINNT\System32\cbxwv.dll. I reran Vundo and the only file it listed now was the C:\WINNT\System32\cbxwv.dll which it again said "Cannot inport C:\VundoFix.reg: Error opening the file. There may be a disk or file system error."


************************************************************


Last HJT log.....
Logfile of HijackThis v1.99.1
Scan saved at 11:29:14 PM, on 3/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - C:\WINNT\system32\cbxwv.dll (file missing)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (disabled by BHODemon)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - C:\WINNT\system32\wvuuusq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O20 - Winlogon Notify: cbxwv - C:\WINNT\system32\cbxwv.dll (file missing)
O20 - Winlogon Notify: efcyv - C:\WINNT\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 13 March 2007 - 04:58 PM

Welcome to BleepingComputer sailin :thumbsup:

Please disable Adaware's AdWatch, as it may hinder the removal of some entries.
You can re-enable it after you're clean.
To disable AdWatch:
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.

*******************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - C:\WINNT\system32\cbxwv.dll (file missing)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (disabled by BHODemon)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - C:\WINNT\system32\wvuuusq.dll (file missing)
O20 - Winlogon Notify: cbxwv - C:\WINNT\system32\cbxwv.dll (file missing)
O20 - Winlogon Notify: efcyv - C:\WINNT\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply please.
Let me know how your pc is running now please.
Posted Image
Posted Image

#3 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 14 March 2007 - 02:58 PM

Hi Ritchie,
Thanks for your help. I was surprized by the quick response! :thumbsup:


I followed your instructions and it seems to have stopped dialing out - but I'll watch it for a few days and see what happens. There is still one item I'm not sure about. It's the BHO that was "disabled by BHODemon". I wasn't sure if I should fix it or not so I left it alone.


Question for future reference: Should all BHO's that are listed as "BHO: (no name) - {************} - (no file)" always be fixed/deleted? How about things like "C:\*******\system32\*******.dll (file missing)"?


The logs are listed below. I'll check back after work.




Logfile of HijackThis v1.99.1
Scan saved at 5:56:48 AM, on 3/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - C:\WINNT\system32\cbxwv.dll (file missing)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (disabled by BHODemon)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - C:\WINNT\system32\wvuuusq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O20 - Winlogon Notify: cbxwv - C:\WINNT\system32\cbxwv.dll (file missing)
O20 - Winlogon Notify: efcyv - C:\WINNT\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

*****************************************************************

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:31:54 AM 3/14/2007

+ Scan result:



C:\Program Files\Spybot - Search & Destroy\S&D14 GUI PATCH.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).


::Report end

*****************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:14:58 AM, on 3/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 14 March 2007 - 03:16 PM

Ritchie,
I tried to send the above reply this AM from home 3 times. Each time I'd complete the note and hit "add reply" IE would pop up the msg that it had encountered a problem and had to close. The last time, I wrote it beforehand in notepad and copied it to my flashdrive before pasting it and hitting the reply button. I figured I'd try to send it from here at work - obviously it worked and I apparently I have another problem at home. Perhaps re-enabling whatever it was that BHODemon had disabled has changed something?

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 14 March 2007 - 04:38 PM

First make sure Adaware's Ad Watch is still disabled.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (no file)
Exit Hijackthis,restart your pc.

Other than the above your log looks clean,hows your pc running now please.
Posted Image
Posted Image

#6 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 15 March 2007 - 08:18 PM

Still have an problem somewhere. It doesn't try to dial out anymore (yet), but when I open the browser, it begins downloading something other than just loading the earthlink start page. nothing shows in the task manager but when I shutdown and reboot, a bunch of those BHO's have returned. I fixed the:
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (no file) following your protocol, rebooted and reran HJT. Everything looks legit, but how about the two "020" items I highlighted in red? Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:01:26 AM, on 3/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O20 - Winlogon Notify: cbxwv - C:\WINNT\
O20 - Winlogon Notify: efcyv - C:\WINNT\

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

The above is before going back online. The following is after going online.

Logfile of HijackThis v1.99.1
Scan saved at 7:54:13 PM, on 3/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - (no file)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (no file)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394
O20 - Winlogon Notify: cbxwv - C:\WINNT\
O20 - Winlogon Notify: efcyv - C:\WINNT\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 March 2007 - 08:27 PM

Ok,please go to Control Panel/Add or Remove Programs and remove/uninstall Adaware SE Plus,then restart your pc,you can reinstall it later when your system is clean.

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply,along with a new Hijackthis log.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Posted Image

#8 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 15 March 2007 - 10:19 PM

OK. Ran Vundo - "no files found".

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 16 March 2007 - 02:37 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5946FA9C-F114-4D3C-9EFC-A95984AFB90F} - (no file)
O2 - BHO: (no name) - {7E666036-67F2-4536-9688-B1697D7CC9C1} - (no file)
O2 - BHO: (no name) - {83C3439A-5872-49E9-B304-3BAAE92E061C} - (no file)
O2 - BHO: (no name) - {9446CE6C-E549-4F14-8F17-0006BD841B4A} - (no file)
O2 - BHO: (no name) - {E6E502EB-364A-4297-8219-C9351EE0D5C5} - (no file)
O2 - BHO: (no name) - {F59AAE06-CC90-4EB5-92C7-53723A9513F7} - (no file)
O2 - BHO: (no name) - {F8D8D2F3-19D6-4142-87A9-88F0BA971EDA} - (no file)
O2 - BHO: (no name) - {FDEA8B50-5D70-4293-865F-141F7EB156C0} - (no file)
O20 - Winlogon Notify: cbxwv - C:\WINNT\
O20 - Winlogon Notify: efcyv - C:\WINNT\


Exit Hijackthis,reboot,post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#10 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 16 March 2007 - 11:16 PM

OK. I think the problem may be solved but it took a little guess work. I followed your protocol's (and also uninstalled AdAware and Spybot S&D) but that same group of BHO's and the two Winlogon's kept comming back when I would reboot into normal mode. I was about ready to format the hard drive and start over with another clean install. Finally, I decided to do it all one more time, but this time, while I was still in safe mode, I ran jv16PowerTools (the paid version). It found a bunch of stuff, including some of the items that kept comming back. I didn't bother to try a "fix", I just had it remove everything it found. After a reboot into normal mode, I ran HJT (didn't bother to save the logs) and those problem items never came back. Then I reinstalled AdAware, Spybot, got the updates, checked for updates to everything else and ran HJT at each step. All logs stayed clean and the system seems to be running ok. Current log as follows:

Hold that thought.

I went to a couple of reputable sites and everything seemed ok. BUT, I did a copy and paste of this reply (written in Notepad) into the forum and when I hit the "add reply" button, I got the "Microsoft IE has encountered a problem and needs to close". Tried it twice with the same result. Also tried it with AdWatch and TeaTimer turned off.

Now what!? (I had to send this from another computer.)

Here's the latest log file:



Logfile of HijackThis v1.99.1

Scan saved at 11:54:47 PM, on 3/16/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\administrator\Desktop\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172934058394

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe










Edited by sailin, 16 March 2007 - 11:18 PM.


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 17 March 2007 - 06:08 AM

Please go to Control Panel/Add or Remove Programs and remove/uninstall Spybot - Search & Destroy,then restart your pc.

********************************

Download\install Mozilla Firefox:
http://www.mozilla.com/en-US/firefox/

Now use Firefox for the time being please,let me know exactly whats happening now.
Posted Image
Posted Image

#12 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 17 March 2007 - 08:15 AM

test

#13 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 17 March 2007 - 08:16 AM

test2

#14 sailin

sailin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Michigan, USA
  • Local time:07:57 PM

Posted 17 March 2007 - 08:25 AM

Seems to be working ok - both when typing in directly and via copy&paste.
Hmmmmm.....
Uninstall and reinstall IE?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users