Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Can't Get Rid Of Virtumonde And Others!


  • This topic is locked This topic is locked
12 replies to this topic

#1 kickehy

kickehy

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 25 March 2007 - 09:20 AM

Hi all, I'm having real trouble with spyware right now. I keep getting virtumonde (as spybot sees it) and smitfraud-c.toolbar888 and just a few others. They WILL NOT go away. I've tried ad-aware, spybot, avg, smitfraud fix, vundo fix, and hjt...so I'm at a loss now to why they keep coming back. Every time avg scans if finds these files:

bfbelfdr.dll
dtmdfkkb.dll
Trojan horse Generic3.MCX
xsoiwtvh.dll

Here's the HJT log (which might not have any info in it):

Logfile of HijackThis v1.99.1
Scan saved at 9:17:52 AM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Brad\Desktop\Spyware\Utilities\Always run\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.128.7.36:8888
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\pbrrpqqj.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169276987501
O17 - HKLM\System\CCS\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.20,10.128.2.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.20,10.128.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.20,10.128.2.8
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

Thanks for your help,
Kickehy

By the way, I'm in safe mode so I can do all this stuff otherwise I get a great number of pop-ups (most of which are the "fix your computer" ones)

Edited by kickehy, 25 March 2007 - 05:21 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 26 March 2007 - 04:22 AM

Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kickehy

kickehy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 26 March 2007 - 02:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:36:07 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\Spyware\Utilities\Always run\Analyse.exe

O2 - BHO: (no name) - {33CFF9A3-7ECB-4382-806D-AB0138BC7386} - C:\WINDOWS\system32\fccbyww.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169276987501
O17 - HKLM\System\CCS\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{367D3DEC-7C88-47FF-A69A-D5DDFF3C02FC}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O20 - Winlogon Notify: fccbyww - C:\WINDOWS\SYSTEM32\fccbyww.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 26 March 2007 - 03:19 PM

Hi,

Do next please..

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\fccbyww.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {33CFF9A3-7ECB-4382-806D-AB0138BC7386} - C:\WINDOWS\system32\fccbyww.dll
O20 - Winlogon Notify: fccbyww - C:\WINDOWS\SYSTEM32\fccbyww.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new hijackthislog and the contents of C:\vundofix.txt in your next reply.

Edited by miekiemoes, 26 March 2007 - 03:19 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kickehy

kickehy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 26 March 2007 - 09:48 PM

So I came to the conclusion that I can't boot into windows normally because all sorts of other things pop up, but here's my log:
This is in safe mode by the way.

Logfile of HijackThis v1.99.1
Scan saved at 9:43:25 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Brad\Desktop\Spyware\Utilities\Always run\Analyse.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169276987501
O17 - HKLM\System\CCS\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{367D3DEC-7C88-47FF-A69A-D5DDFF3C02FC}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

Edited by kickehy, 26 March 2007 - 09:49 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 27 March 2007 - 12:26 AM

Hi,

This log looks clean. Do you have the log from Vundofix?
Can you let me know what things popping up when you go to normal mode?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kickehy

kickehy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 27 March 2007 - 08:05 AM

Oh yeah, sorry about that. Here's the log:




VundoFix V6.3.9



Checking Java version...



Scan started at 4:07:41 PM 3/24/2007



Listing files found while scanning....



C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\Program Files\VSAdd-in\VSAdd-in.dll

C:\WINDOWS\system32\guitwoyt.exe



Beginning removal...



Attempting to delete C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!



Attempting to delete C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!



Attempting to delete C:\WINDOWS\system32\guitwoyt.exe

C:\WINDOWS\system32\guitwoyt.exe Has been deleted!



Performing Repairs to the registry.

Done!



Beginning removal...



Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll

C:\Program Files\VSAdd-in\VSAdd-in.dll Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.9



Checking Java version...



Scan started at 4:41:16 PM 3/24/2007



Listing files found while scanning....



C:\Program Files\VSAdd-in\VSAdd-in.dll

C:\WINDOWS\system32\pqltlend.dll

C:\WINDOWS\system32\svuvw.bak1

C:\WINDOWS\system32\svuvw.ini

C:\WINDOWS\system32\wvuvs.dll

C:\WINDOWS\system32\ytetirqu.exe



Beginning removal...



Attempting to delete C:\WINDOWS\system32\pqltlend.dll

C:\WINDOWS\system32\pqltlend.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\svuvw.bak1

C:\WINDOWS\system32\svuvw.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\svuvw.ini

C:\WINDOWS\system32\svuvw.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\wvuvs.dll

C:\WINDOWS\system32\wvuvs.dll Could not be deleted.



Attempting to delete C:\WINDOWS\system32\ytetirqu.exe

C:\WINDOWS\system32\ytetirqu.exe Has been deleted!



Performing Repairs to the registry.

Done!



Beginning removal...



Attempting to delete C:\WINDOWS\system32\svuvw.ini

C:\WINDOWS\system32\svuvw.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\wvuvs.dll

C:\WINDOWS\system32\wvuvs.dll Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.9



Checking Java version...



Scan started at 6:41:34 PM 3/24/2007



Listing files found while scanning....





VundoFix V6.3.9



Checking Java version...



Scan started at 11:28:40 PM 3/24/2007



Listing files found while scanning....



C:\WINDOWS\system32\dddgh.bak1

C:\WINDOWS\system32\dddgh.ini

C:\WINDOWS\system32\hgddd.dll

C:\WINDOWS\system32\nlnkkcrl.exe



Beginning removal...



Attempting to delete C:\WINDOWS\system32\dddgh.bak1

C:\WINDOWS\system32\dddgh.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\dddgh.ini

C:\WINDOWS\system32\dddgh.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\hgddd.dll

C:\WINDOWS\system32\hgddd.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\nlnkkcrl.exe

C:\WINDOWS\system32\nlnkkcrl.exe Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.9



Checking Java version...



Scan started at 11:53:28 PM 3/24/2007



Listing files found while scanning....



No infected files were found.





VundoFix V6.3.9



Checking Java version...



Scan started at 9:19:50 PM 3/25/2007



Listing files found while scanning....



C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\Program Files\VSAdd-in\VSAdd-in.dll

C:\WINDOWS\system32\befhk.bak1

C:\WINDOWS\system32\befhk.ini

C:\WINDOWS\system32\khfeb.dll

C:\WINDOWS\system32\tjxrtlvl.exe



Beginning removal...



Attempting to delete C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!



Attempting to delete C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\Documents and settings\Brad\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!



Attempting to delete C:\WINDOWS\system32\befhk.bak1

C:\WINDOWS\system32\befhk.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\befhk.ini

C:\WINDOWS\system32\befhk.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\khfeb.dll

C:\WINDOWS\system32\khfeb.dll Could not be deleted.



Attempting to delete C:\WINDOWS\system32\tjxrtlvl.exe

C:\WINDOWS\system32\tjxrtlvl.exe Has been deleted!



Performing Repairs to the registry.

Done!



Beginning removal...



Attempting to delete C:\WINDOWS\system32\befhk.ini

C:\WINDOWS\system32\befhk.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\khfeb.dll

C:\WINDOWS\system32\khfeb.dll Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.9



Checking Java version...



Scan started at 7:45:03 AM 3/26/2007



Listing files found while scanning....



No infected files were found.





VundoFix V6.3.18



Checking Java version...



Java version is 1.5.0.10



Java version is 1.5.0.11



Scan started at 8:59:21 PM 3/26/2007



Listing files found while scanning....



C:\WINDOWS\system32\aadgh.ini

C:\WINDOWS\system32\awttu.dll

C:\WINDOWS\system32\bardtbte.dll

C:\WINDOWS\system32\cceeg.bak1

C:\WINDOWS\system32\cceeg.ini

C:\WINDOWS\system32\etbtdrab.ini

C:\WINDOWS\system32\fccbyww.dll

C:\WINDOWS\system32\geecc.dll

C:\WINDOWS\system32\gomtqetj.ini

C:\WINDOWS\system32\hgdaa.dll

C:\WINDOWS\system32\hgghefd.dll

C:\WINDOWS\system32\hrioabhn.dll

C:\WINDOWS\system32\itsdxykk.dll

C:\WINDOWS\system32\jqqprrbp.ini

C:\WINDOWS\system32\jteqtmog.dll

C:\WINDOWS\system32\kkyxdsti.ini

C:\WINDOWS\system32\pbrrpqqj.dll

C:\WINDOWS\system32\uttwa.ini

C:\WINDOWS\system32\wntavajj.exe

C:\WINDOWS\system32\xxyyx.dll

C:\WINDOWS\system32\xyyxx.bak1

C:\WINDOWS\system32\xyyxx.ini



Beginning removal...



Attempting to delete C:\WINDOWS\system32\aadgh.ini

C:\WINDOWS\system32\aadgh.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\awttu.dll

C:\WINDOWS\system32\awttu.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\bardtbte.dll

C:\WINDOWS\system32\bardtbte.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\cceeg.bak1

C:\WINDOWS\system32\cceeg.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\cceeg.ini

C:\WINDOWS\system32\cceeg.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\etbtdrab.ini

C:\WINDOWS\system32\etbtdrab.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\fccbyww.dll

C:\WINDOWS\system32\fccbyww.dll Could not be deleted.



Attempting to delete C:\WINDOWS\system32\geecc.dll

C:\WINDOWS\system32\geecc.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\gomtqetj.ini

C:\WINDOWS\system32\gomtqetj.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\hgdaa.dll

C:\WINDOWS\system32\hgdaa.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\hgghefd.dll

C:\WINDOWS\system32\hgghefd.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\hrioabhn.dll

C:\WINDOWS\system32\hrioabhn.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\itsdxykk.dll

C:\WINDOWS\system32\itsdxykk.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\jqqprrbp.ini

C:\WINDOWS\system32\jqqprrbp.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\jteqtmog.dll

C:\WINDOWS\system32\jteqtmog.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\kkyxdsti.ini

C:\WINDOWS\system32\kkyxdsti.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\pbrrpqqj.dll

C:\WINDOWS\system32\pbrrpqqj.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\uttwa.ini

C:\WINDOWS\system32\uttwa.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\wntavajj.exe

C:\WINDOWS\system32\wntavajj.exe Has been deleted!



Attempting to delete C:\WINDOWS\system32\xxyyx.dll

C:\WINDOWS\system32\xxyyx.dll Could not be deleted.



Attempting to delete C:\WINDOWS\system32\xyyxx.bak1

C:\WINDOWS\system32\xyyxx.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\xyyxx.ini

C:\WINDOWS\system32\xyyxx.ini Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.18



Checking Java version...



Java version is 1.5.0.10



Java version is 1.5.0.11



Scan started at 9:23:16 PM 3/26/2007



Listing files found while scanning....



C:\WINDOWS\system32\fccbyww.dll

C:\WINDOWS\system32\kjmoq.bak1

C:\WINDOWS\system32\kjmoq.ini

C:\WINDOWS\system32\qomjk.dll

C:\WINDOWS\system32\xxyyx.dll

C:\WINDOWS\system32\xyyxx.ini

C:\WINDOWS\system32\xyyxx.tmp



Beginning removal...



Attempting to delete C:\WINDOWS\system32\fccbyww.dll

C:\WINDOWS\system32\fccbyww.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\kjmoq.bak1

C:\WINDOWS\system32\kjmoq.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\kjmoq.ini

C:\WINDOWS\system32\kjmoq.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\qomjk.dll

C:\WINDOWS\system32\qomjk.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\xxyyx.dll

C:\WINDOWS\system32\xxyyx.dll Has been deleted!



Attempting to delete C:\WINDOWS\system32\xyyxx.ini

C:\WINDOWS\system32\xyyxx.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\xyyxx.tmp

C:\WINDOWS\system32\xyyxx.tmp Has been deleted!



Performing Repairs to the registry.

Done!



VundoFix V6.3.18



Checking Java version...



Java version is 1.5.0.10



Java version is 1.5.0.11



Scan started at 9:43:55 PM 3/26/2007



Listing files found while scanning....



No infected files were found.



The other files that were found were from when I booted into normal mode and they just started popping up. So far, in normal mode I haven't gotten any popups, but if I do I'll let you know.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 27 March 2007 - 08:20 AM

Hi,

So far, in normal mode I haven't gotten any popups, but if I do I'll let you know.

Can you post a new HijackThislog made in normal mode now.. this as a final check.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kickehy

kickehy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 27 March 2007 - 12:12 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:10:33 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\Spyware\Utilities\Always run\Analyse.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169276987501
O17 - HKLM\System\CCS\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{367D3DEC-7C88-47FF-A69A-D5DDFF3C02FC}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{058ED8E0-2AD7-467C-A8EC-F70AB7A9530D}: NameServer = 10.128.2.8,10.128.2.20
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 27 March 2007 - 12:19 PM

Still looking good. Popups should be gone now. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kickehy

kickehy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:03:57 PM

Posted 27 March 2007 - 02:01 PM

thanks!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 27 March 2007 - 02:14 PM

Glad I could help :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 29 March 2007 - 05:32 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users