Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans, Virtumonde(vsadd-in), Smitfraud-c, Random Pop-ups, Computer Slowness.....


  • Please log in to reply
8 replies to this topic

#1 cococj

cococj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:nottingham
  • Local time:11:40 PM

Posted 14 March 2007 - 07:47 PM

Hi,

Well where to start prior to Sunday I've had no particular problems with spyware, trojans or the like mainly cos I scan regularly and kinda careful with what I download... however since Sunday just gone I've had a hell of a time with multiple issues.... I 'll list them in order

Sunday - Multiple warnings from AVG Resident Shield of trojan infection LOP.AX - healed or removed half hour late was back.
Monday - As sunday, then on Monday afternoon I started getting popups in browsers for spyware scanners, debt solving companies and the like
Tuesday - Multiple warnings from AVG Resident Shield of trojan infection Generic 3.GLF, Generic3.KOE and collected.11.B ---- no longer any warnings of LOP.AX
Wednesday - Pretty much as Tuesday

I have run scans with my AVG which is finding pretty much nothing, though occasionally pops up with one of the above named trojans that the resident shield didn't catch.

Ran Ad-Aware scan, removed what it found.

Ran Spybot S&D - it keeps finding multiple references to VirtuMonde and Smitfraud-c.Toolbar888 and Search toolbarcorp toolbarvision... along with other things (which it HAS managed to permanently delete) it removed the registry entries for VirtuMonde and Smitfraud, it removed the VSAdd-in folder itself as c:\program files\VSadd-in and the VSAdd-in.dll file it contained however it keeps coming back, I've manually removed the folder and contents on more than one occasion and half an hour later it's back again.

Summary of what I've used.

Scanned with AOL anti-spyware (multiple times)
Scanned with AVG anti-virus (multiple times)
Scanned with Ad-Aware (multiple times)
Scanned with Spybot S&D (multiple times) ---- Vitumonde smitfraud and search toolbar keep coming back)
Scanned with Bitdefender (nothing found)
Scanned with AVERT Stinger (nothing found)
I'm using McAfee personal firewall so do have one installed.


As things stand now, having just run another Spybot S&D scan (which is showing VirtuMonde Smitfraud and Search Toolbarcorp toolbar vision) I am STILL getting random Trojan Warings from my AVG, I am still getting random browser pop ups and I still cannot remove the Smitfraud and more importantly the VSAdd-in stuff.

I'm going crazy, I've tried to follow your steps and where they've shown a problem I have removed them etc, I'm left wondering is there another program that is downloading all this stuff which is yet to be detected or that the scans so far haven't shown or are they just refusing to be removed fully in the first place.... I will include the HijackThis log I generated now below.

ANY help in sorting this out would be most greatly appreciated.......

Thanks in advance
Chris

Logfile of HijackThis v1.99.1
Scan saved at 00:43:18, on 15/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris2\Desktop\CDR\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\pmwptnxm.dll",setvm
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\RunOnce: [SpybotDeletingA8149] command /c del "C:\Program Files\VSAdd-in\VSAdd-in.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4474] cmd /c del "C:\Program Files\VSAdd-in\VSAdd-in.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB197] command /c del "C:\Program Files\VSAdd-in\VSAdd-in.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2466] cmd /c del "C:\Program Files\VSAdd-in\VSAdd-in.dll_tobedeleted_old"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102w.bay102.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aolsvc.co.uk/molbin/sha...,21/mcgdmgr.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:40 PM

Posted 14 March 2007 - 09:23 PM

As you suspect, there is malware showing on the log. However, there may be some we cannot even see.

Please download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

SilentRunners shows a few Registry keys that HijackThis does not, so let's get more of the picture.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

Provide the content of the SilentRunners log in your reply.

Old duck...


#3 cococj

cococj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:nottingham
  • Local time:11:40 PM

Posted 14 March 2007 - 11:21 PM

Well thanks for the quick response.... I've included the log as requested below..... Incidentally I don't know if this has anything to do with it or not, but shortly after restarting after my last Spybot scan and after it scanned again at startup, my firewall (which has thus far been quiet on this) popped up and asked if pxmftqpm.exe which was located in c:\windows\system32 could have internet access, as I didn't recognize it and as I cannot find any reference to it anywhere, I blocked it ... I've also zipped it up and removed it from the folder pending anything you have to say about it.
Cheers
Chris

The log from the program you suggested I ran -------

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SNPSTD2" = "C:\WINDOWS\vsnpstd2.exe" [empty string]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"vptray" = "C:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Logitech Utility" = "LOGI_MWX.EXE" [file not found]
"2chkdsk" = "rundll32.exe "C:\WINDOWS\system32\pmwptnxm.dll",setvm" [MS]
"ISUSPM" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HelperObject Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Alcohol Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll" [file not found]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch5 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" [file not found]
{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{88855F7A-BFB1-4B5D-80C9-E9F2F095AD17}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\awvtq.dll" [null data]
{9AA2F14F-E956-44B8-8694-A5B615CDF341}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NOW!Imaging"
\InProcServer32\(Default) = "blank" [file not found]
{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnlkih.dll" [null data]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "gFlash Class"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\getflash.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> {HKLM...CLSID} = "eLicense Control"
\InProcServer32\(Default) = "C:\WINDOWS\lcmmfu.cpl" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [file not found]
"{9DED7A30-D572-4D21-8D82-6945EA697400}" = "Macromedia FlashPaper Context Menu"
-> {HKLM...CLSID} = "FlashPaperContextHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.61 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.61 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.61 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.61 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnlkih.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> awvtq\DLLName = "C:\WINDOWS\system32\awvtq.dll" [null data]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]
<<!>> nnnlkih\DLLName = "nnnlkih.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [file not found]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Macromedia.FlashPaper.ContextMenu\(Default) = "{9DED7A30-D572-4D21-8D82-6945EA697400}"
-> {HKLM...CLSID} = "FlashPaperContextHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Create ISO Image from directory\(Default) = "{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}"
-> {HKLM...CLSID} = "CISORecorderContextMenu Object"
\InProcServer32\(Default) = "C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "chris2" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 29 - 30


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{74DD705D-6834-439C-A735-A6DBE2677452}"
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{74DD705D-6834-439C-A735-A6DBE2677452}" = (no title provided)
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.ukonline.co.uk

Missing lines (compared with English-language version):
[Strings]: 1 line


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 4 domain names to IP addresses,
3 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 440 seconds, including 21 seconds for message boxes)

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:40 PM

Posted 15 March 2007 - 05:35 PM

Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
{74DD705D-6834-439C-A735-A6DBE2677452}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
{74DD705D-6834-439C-A735-A6DBE2677452}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88855F7A-BFB1-4B5D-80C9-E9F2F095AD17}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"2chkdsk"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awvtq]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnlkih]



In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Search for and remove the following folder (bold):
C:\Program Files\VSAdd-in

Search for and remove the following file (bold):
C:\WINDOWS\system32\pmwptnxm

~~~~
Restart the computer.

~~~~
Next, download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated

This program may generate a "BLUE SCREEN OF DEATH". Do not be concerned.
Just reboot if your system "jams".

The VirtumundoBeGone log VBG.txt is found on the Desktop.

~~~~
Please provide the VirtumundoBeGone log VBG.txt, and a new HijackThis log.

Edited by Aaflac, 15 March 2007 - 06:04 PM.

Old duck...


#5 cococj

cococj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:nottingham
  • Local time:11:40 PM

Posted 15 March 2007 - 07:04 PM

Hi,

Just like to start again with thanks, erm... You'll notice from the logs I'm gonna post shortly that the file you asked me to delete has changed name, this is because I attempted to remove the dll file the HJT scan had discovered yesterday myself, but it came back with a different name.... so I now followed your instructions to delete the new dll file yhgaqvob.dll and the VSAdd-in file too... so far so good have to say no pop-ups (there's time yet) but I am getting a rundll32 error on startup for the missing yhgaqvob.dll file --- not that I'm missing it's demise too much... hehe

cheers
chris

Log's as requested....

VBG
*************************************



[03/15/2007, 23:43:37] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\chris2\Desktop\VirtumundoBeGone.exe" )
[03/15/2007, 23:43:42] - Detected System Information:
[03/15/2007, 23:43:42] - Windows Version: 5.1.2600, Service Pack 2
[03/15/2007, 23:43:42] - Current Username: chris2 (Admin)
[03/15/2007, 23:43:42] - Windows is in NORMAL mode.
[03/15/2007, 23:43:42] - Searching for Browser Helper Objects:
[03/15/2007, 23:43:42] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
[03/15/2007, 23:43:42] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/15/2007, 23:43:42] - BHO 3: {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} (Alcohol Toolbar Helper)
[03/15/2007, 23:43:42] - BHO 4: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[03/15/2007, 23:43:42] - BHO 5: {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - No filename found. Continuing.
[03/15/2007, 23:43:42] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/15/2007, 23:43:42] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/15/2007, 23:43:42] - BHO 7: {6243BFCD-E57D-4EA5-9185-39E54B991555} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - Checking for HKLM\...\Winlogon\Notify\awvtq
[03/15/2007, 23:43:42] - Found: HKLM\...\Winlogon\Notify\awvtq - This is probably Virtumundo.
[03/15/2007, 23:43:42] - Assigning {6243BFCD-E57D-4EA5-9185-39E54B991555} MSEvents Object
[03/15/2007, 23:43:42] - BHO list has been changed! Starting over...
[03/15/2007, 23:43:42] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
[03/15/2007, 23:43:42] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/15/2007, 23:43:42] - BHO 3: {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} (Alcohol Toolbar Helper)
[03/15/2007, 23:43:42] - BHO 4: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[03/15/2007, 23:43:42] - BHO 5: {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - No filename found. Continuing.
[03/15/2007, 23:43:42] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/15/2007, 23:43:42] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/15/2007, 23:43:42] - BHO 7: {6243BFCD-E57D-4EA5-9185-39E54B991555} (MSEvents Object)
[03/15/2007, 23:43:42] - ALERT: Found MSEvents Object!
[03/15/2007, 23:43:42] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/15/2007, 23:43:42] - BHO 9: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[03/15/2007, 23:43:42] - BHO 10: {AFC37E94-71A5-4E7B-9480-BCA74A5EFE39} ()
[03/15/2007, 23:43:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:42] - Checking for HKLM\...\Winlogon\Notify\nnnlkih
[03/15/2007, 23:43:42] - Found: HKLM\...\Winlogon\Notify\nnnlkih - This is probably Virtumundo.
[03/15/2007, 23:43:42] - Assigning {AFC37E94-71A5-4E7B-9480-BCA74A5EFE39} MSEvents Object
[03/15/2007, 23:43:43] - BHO list has been changed! Starting over...
[03/15/2007, 23:43:43] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
[03/15/2007, 23:43:43] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/15/2007, 23:43:43] - BHO 3: {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} (Alcohol Toolbar Helper)
[03/15/2007, 23:43:43] - BHO 4: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[03/15/2007, 23:43:43] - BHO 5: {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} ()
[03/15/2007, 23:43:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:43] - No filename found. Continuing.
[03/15/2007, 23:43:43] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/15/2007, 23:43:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:43] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/15/2007, 23:43:43] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/15/2007, 23:43:43] - BHO 7: {6243BFCD-E57D-4EA5-9185-39E54B991555} (MSEvents Object)
[03/15/2007, 23:43:43] - ALERT: Found MSEvents Object!
[03/15/2007, 23:43:43] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/15/2007, 23:43:43] - BHO 9: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[03/15/2007, 23:43:43] - BHO 10: {AFC37E94-71A5-4E7B-9480-BCA74A5EFE39} (MSEvents Object)
[03/15/2007, 23:43:43] - ALERT: Found MSEvents Object!
[03/15/2007, 23:43:43] - BHO 11: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[03/15/2007, 23:43:43] - Finished Searching Browser Helper Objects
[03/15/2007, 23:43:43] - *** Detected MSEvents Object
[03/15/2007, 23:43:43] - Trying to remove MSEvents Object...
[03/15/2007, 23:43:44] - Terminating Process: IEXPLORE.EXE
[03/15/2007, 23:43:44] - Terminating Process: RUNDLL32.EXE
[03/15/2007, 23:43:44] - Disabling Automatic Shell Restart
[03/15/2007, 23:43:44] - Terminating Process: EXPLORER.EXE
[03/15/2007, 23:43:44] - Suspending the NT Session Manager System Service
[03/15/2007, 23:43:45] - Terminating Windows NT Logon/Logoff Manager
[03/15/2007, 23:43:45] - Re-enabling Automatic Shell Restart
[03/15/2007, 23:43:45] - File to disable: C:\WINDOWS\system32\awvtq.dll
[03/15/2007, 23:43:45] - Renaming C:\WINDOWS\system32\awvtq.dll -> C:\WINDOWS\system32\awvtq.dll.vir
[03/15/2007, 23:43:45] - File successfully renamed!
[03/15/2007, 23:43:45] - Removing HKLM\...\Browser Helper Objects\{6243BFCD-E57D-4EA5-9185-39E54B991555}
[03/15/2007, 23:43:45] - Removing HKCR\CLSID\{6243BFCD-E57D-4EA5-9185-39E54B991555}
[03/15/2007, 23:43:45] - Adding Kill Bit for ActiveX for GUID: {6243BFCD-E57D-4EA5-9185-39E54B991555}
[03/15/2007, 23:43:45] - Deleting ATLEvents/MSEvents Registry entries
[03/15/2007, 23:43:45] - Removing HKLM\...\Winlogon\Notify\awvtq
[03/15/2007, 23:43:45] - Searching for Browser Helper Objects:
[03/15/2007, 23:43:45] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
[03/15/2007, 23:43:45] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/15/2007, 23:43:45] - BHO 3: {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} (Alcohol Toolbar Helper)
[03/15/2007, 23:43:45] - BHO 4: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[03/15/2007, 23:43:45] - BHO 5: {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} ()
[03/15/2007, 23:43:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:45] - No filename found. Continuing.
[03/15/2007, 23:43:45] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/15/2007, 23:43:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:45] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/15/2007, 23:43:45] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/15/2007, 23:43:45] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/15/2007, 23:43:45] - BHO 8: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[03/15/2007, 23:43:45] - BHO 9: {AFC37E94-71A5-4E7B-9480-BCA74A5EFE39} (MSEvents Object)
[03/15/2007, 23:43:45] - ALERT: Found MSEvents Object!
[03/15/2007, 23:43:45] - BHO 10: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[03/15/2007, 23:43:45] - Finished Searching Browser Helper Objects
[03/15/2007, 23:43:45] - *** Detected MSEvents Object
[03/15/2007, 23:43:45] - Trying to remove MSEvents Object...
[03/15/2007, 23:43:46] - Terminating Process: IEXPLORE.EXE
[03/15/2007, 23:43:46] - Terminating Process: RUNDLL32.EXE
[03/15/2007, 23:43:46] - Disabling Automatic Shell Restart
[03/15/2007, 23:43:46] - Terminating Process: EXPLORER.EXE
[03/15/2007, 23:43:46] - Suspending the NT Session Manager System Service
[03/15/2007, 23:43:47] - Terminating Windows NT Logon/Logoff Manager
[03/15/2007, 23:43:47] - Re-enabling Automatic Shell Restart
[03/15/2007, 23:43:47] - File to disable: C:\WINDOWS\system32\nnnlkih.dll
[03/15/2007, 23:43:47] - Renaming C:\WINDOWS\system32\nnnlkih.dll -> C:\WINDOWS\system32\nnnlkih.dll.vir
[03/15/2007, 23:43:47] - File successfully renamed!
[03/15/2007, 23:43:47] - Removing HKLM\...\Browser Helper Objects\{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}
[03/15/2007, 23:43:47] - Removing HKCR\CLSID\{AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}
[03/15/2007, 23:43:47] - Adding Kill Bit for ActiveX for GUID: {AFC37E94-71A5-4E7B-9480-BCA74A5EFE39}
[03/15/2007, 23:43:47] - Deleting ATLEvents/MSEvents Registry entries
[03/15/2007, 23:43:47] - Removing HKLM\...\Winlogon\Notify\nnnlkih
[03/15/2007, 23:43:47] - Searching for Browser Helper Objects:
[03/15/2007, 23:43:47] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
[03/15/2007, 23:43:47] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/15/2007, 23:43:47] - BHO 3: {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} (Alcohol Toolbar Helper)
[03/15/2007, 23:43:47] - BHO 4: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[03/15/2007, 23:43:47] - BHO 5: {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} ()
[03/15/2007, 23:43:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:47] - No filename found. Continuing.
[03/15/2007, 23:43:47] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/15/2007, 23:43:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/15/2007, 23:43:47] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/15/2007, 23:43:47] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/15/2007, 23:43:47] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/15/2007, 23:43:47] - BHO 8: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[03/15/2007, 23:43:47] - BHO 9: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[03/15/2007, 23:43:47] - Finished Searching Browser Helper Objects
[03/15/2007, 23:43:47] - Finishing up...
[03/15/2007, 23:43:47] - A restart is needed.
[03/15/2007, 23:43:56] - Attempting to Restart via STOP error (Blue Screen!)


HJT
**********

Logfile of HijackThis v1.99.1
Scan saved at 23:49:27, on 15/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\chris2\Desktop\CDR\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - blank (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\yhgaqvob.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102w.bay102.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aolsvc.co.uk/molbin/sha...,21/mcgdmgr.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:40 PM

Posted 15 March 2007 - 10:43 PM

Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Next, run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\yhgaqvob.dll",setvm

Select: Fix checked

~~~~
Still in Safe Mode, search for and remove (bold):
C:\WINDOWS\system32\yhgaqvob.dll
(If it changed name, remove whatever it changed to.)

~~~~
Restart the computer.

~~~~
Please post a new HijackThis log.

Old duck...


#7 cococj

cococj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:nottingham
  • Local time:11:40 PM

Posted 16 March 2007 - 06:55 PM

Hi,

Well I've done all that, removed the file as requested, and so far so good... when it comes to the popups at least, and no new dll's have appeared in my system32 folder so great...yay....

BUT... I'm still getting random trojan warnings from AVG had 6 one after the other earlier. And spybot S&D is still showing references to several things....

anywhooooo the log as requested....

Logfile of HijackThis v1.99.1
Scan saved at 23:50:26, on 16/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\chris2\Desktop\CDR\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - blank (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (file missing)
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102w.bay102.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aolsvc.co.uk/molbin/sha...,21/mcgdmgr.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:40 PM

Posted 16 March 2007 - 11:32 PM

Please run HijackThis, Scan
Check box for:

O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - blank (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (file missing)

O18 - Filter: text/html - (no CLSID) - (no file)

O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe (file missing)
O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)

Select: Fix checked

Personally I'm not so sure about the following entries:
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
However you are running Alcohol 120.

It is up to you as to whether you want to check them off. There should not be any harm to your computer or Alcohol if you remove these. The Hosts file allows the computer to find the IP address of a server without having to go through the Domain Name System (DNS).

If you decide to check the box for them, do so before selecting: Fix checked

~~~~
Now, please download SDFix and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

~~~~
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Please post the contents of the SDFix Report.txt, and a new HijackThis log.

Old duck...


#9 cococj

cococj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:nottingham
  • Local time:11:40 PM

Posted 27 March 2007 - 01:17 PM

Hi, sorry it's been a while, have been away

okay did all that, I also did a few more scans with spybot and seemed to removed all the extra entires fine.. went online and they didn't reappear... so I guess your previous suggestions worked :thumbsup:

Thanks for all your help btw you have been great!!

Cheers

Chris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users