Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Messenger


  • Please log in to reply
30 replies to this topic

#1 sandro420

sandro420

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 10 April 2007 - 09:27 PM

well, it seems every time i run MSN Messenger, it slows my com

puter down, and my Panda antivirus says it has blocked 888bar adware. i cant seem to make it go away, so any help will be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:20 PM, on 4/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\My Documents\download\HiJackThis_v2.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\mvtvkles.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {EA1C7B11-E180-B627-F1DE-C2DEBFB20497} - C:\WINNT\system32\duf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\User\LOCALS~1\Temp\{AAECC4B5-0AF3-4607-B5FA-249D660614E8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: awtuvvv - C:\WINNT\SYSTEM32\awtuvvv.dll
O20 - Winlogon Notify: winorl32 - winorl32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 11 April 2007 - 02:32 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.
Do not run it yet.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\mvtvkles.dll
O2 - BHO: (no name) - {EA1C7B11-E180-B627-F1DE-C2DEBFB20497} - C:\WINNT\system32\duf.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O20 - Winlogon Notify: awtuvvv - C:\WINNT\SYSTEM32\awtuvvv.dll
O20 - Winlogon Notify: winorl32 - winorl32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Find and delete these two files if they are present:
C:\WINNT\system32\vtvkles.dll
C:\WINNT\SYSTEM32\awtuvvv.dll

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

Edited by D-Trojanator, 11 April 2007 - 02:32 AM.


#3 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 11 April 2007 - 08:04 AM

i also have just received a popup for winantiviruspro 2007, if that helps at all.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 11 April 2007 - 04:23 PM

You will likely recieve popups at this time; please follow the instructions in my previous post and report back.

#5 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 11 April 2007 - 09:11 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:07:56 PM, on 4/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\User\LOCALS~1\Temp\{AAECC4B5-0AF3-4607-B5FA-249D660614E8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

SmitFraudFix v2.166

Scan done at 18:32:37.23, Wed 04/11/2007
Run from C:\Documents and Settings\User\My Documents\download\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8C1F41DF-7A77-468A-9BDC-324C0C73F89C}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C4BF4978-F4B0-413B-B802-E2669E0CE4AC}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8C1F41DF-7A77-468A-9BDC-324C0C73F89C}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C4BF4978-F4B0-413B-B802-E2669E0CE4AC}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8C1F41DF-7A77-468A-9BDC-324C0C73F89C}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C4BF4978-F4B0-413B-B802-E2669E0CE4AC}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

the problem persists, when i enter safe mode and attempt to delete awutvvv.dll, it says it is being used by windows. also, when i use smitfraud, the registry editor says it cannot import cleanup.reg error accessing registry. any help will be greatly appreciated.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 12 April 2007 - 04:44 AM

Please go to the folder where Hijackthis is kept and rename the hijackthis application to "showme". This can be done by right clicking on the program and clicking "rename". Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#7 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 12 April 2007 - 09:06 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:07:16 AM, on 4/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\ivemjqyb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9796007A-181E-4C97-99EB-7F71B8989A7B} - C:\WINNT\system32\awtuvvv.dll
O2 - BHO: (no name) - {C48B6AD4-D416-4694-B1A5-43F9687F0711} - C:\WINNT\system32\fccyv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\User\LOCALS~1\Temp\{AAECC4B5-0AF3-4607-B5FA-249D660614E8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: awtuvvv - C:\WINNT\SYSTEM32\awtuvvv.dll
O20 - Winlogon Notify: fccyv - C:\WINNT\system32\fccyv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 12 April 2007 - 09:07 AM

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

#9 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 12 April 2007 - 09:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:15:12 PM, on 4/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\showme.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\ivemjqyb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9796007A-181E-4C97-99EB-7F71B8989A7B} - C:\WINNT\system32\awtuvvv.dll
O2 - BHO: (no name) - {C48B6AD4-D416-4694-B1A5-43F9687F0711} - C:\WINNT\system32\fccyv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\User\LOCALS~1\Temp\{AAECC4B5-0AF3-4607-B5FA-249D660614E8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: awtuvvv - C:\WINNT\SYSTEM32\awtuvvv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.6

Scan started at 5:17:32 PM 9/28/2006

Listing files found while scanning....

C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\services.dll
C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\Update.exe

Beginning removal...

Attempting to delete C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\services.dll
C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\services.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\Update.exe
C:\Program Files\Common Files\{98F838EC-031D-1033-0424-010310080001}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.22
Scan started at 5:46:53 PM 4/10/2007

Listing files found while scanning....


C:\WINNT\system32\jijlm.bak1
C:\WINNT\system32\jijlm.ini
C:\WINNT\system32\mljij.dll

VundoFix V4.2.22
Scan started at 5:51:02 PM 4/10/2007

Listing files found while scanning....


C:\WINNT\system32\jijlm.bak1
C:\WINNT\system32\jijlm.ini
C:\WINNT\system32\mljij.dll
Attempting to delete C:\WINNT\system32\jijlm.bak1
C:\WINNT\system32\jijlm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jijlm.ini
C:\WINNT\system32\jijlm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\mljij.dll
C:\WINNT\system32\mljij.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.22
Scan started at 6:34:03 PM 4/10/2007

Listing files found while scanning....


C:\WINNT\system32\jijlm.bak1
C:\WINNT\system32\jijlm.ini
C:\WINNT\system32\mljij.dll
Attempting to delete C:\WINNT\system32\jijlm.bak1
C:\WINNT\system32\jijlm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jijlm.ini
C:\WINNT\system32\jijlm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\mljij.dll
C:\WINNT\system32\mljij.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.22
Scan started at 6:43:34 PM 4/10/2007

Listing files found while scanning....


No infected files were found.


VundoFix V4.2.22
Scan started at 7:02:54 PM 4/12/2007

Listing files found while scanning....


C:\WINNT\system32\vyccf.bak1
C:\WINNT\system32\vyccf.bak2
C:\WINNT\system32\vyccf.ini
C:\WINNT\system32\fccyv.dll
Attempting to delete C:\WINNT\system32\vyccf.bak1
C:\WINNT\system32\vyccf.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\vyccf.bak2
C:\WINNT\system32\vyccf.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\vyccf.ini
C:\WINNT\system32\vyccf.ini Has been deleted!

Attempting to delete C:\WINNT\system32\fccyv.dll
C:\WINNT\system32\fccyv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#10 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 12 April 2007 - 09:46 PM

apologies, here is a recent Vundofix.

VundoFix V4.2.22
Scan started at 7:20:49 PM 4/12/2007

Listing files found while scanning....


C:\WINNT\system32\vyccf.bak1
C:\WINNT\system32\vyccf.ini
C:\WINNT\system32\fccyv.dll
Attempting to delete C:\WINNT\system32\vyccf.bak1
C:\WINNT\system32\vyccf.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\vyccf.ini
C:\WINNT\system32\vyccf.ini Has been deleted!

Attempting to delete C:\WINNT\system32\fccyv.dll
C:\WINNT\system32\fccyv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 13 April 2007 - 05:11 AM

Download Combofix to your desktop. !! It is really important that combofix.exe is on your desktop, not somewhere else or not in a folder on your desktop.
Then go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v awtuvvv fccyv mljij

Hit enter. This should start the combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#12 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 13 April 2007 - 11:50 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:49:52 AM, on 4/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\ivemjqyb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

"User" - Fri 04/13/2007 9:30:12 Service Pack 4
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\User\Desktop"
Command switches used :: /v awtuvvv fccyv mljij


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\awtuvvv.dll
C:\WINNT\system32\fccyv.dll
C:\WINNT\system32\mljij.dll
C:\WINNT\system32\vyccf.bak1
C:\WINNT\system32\vyccf.ini
C:\WINNT\system32\jijlm.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


"C:\WINNT\system32\mljij.dll"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Common Files\{38F83~1\UnInstall.exe
C:\Program Files\outerinfo
C:\WINNT\system32\components
C:\Program Files\Common Files\{38F83~1
C:\Program Files\Common Files\{98F83~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\User
C:\qoobox\purity\DOCUME~1\User\APPLIC~1
C:\qoobox\purity\DOCUME~1\User\APPLIC~1\CROSOF~1.NET
C:\qoobox\purity\DOCUME~1\User\APPLIC~1\from.txt
C:\qoobox\purity\Program Files\APPATC~1
C:\qoobox\purity\Program Files\STEM~1
C:\qoobox\purity\Program Files\WNSXS~1
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0000
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0001
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0002
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0003
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0004
C:\qoobox\purity\Program Files\APPATC~1\APPATC~1\ctxad-542.0005
C:\qoobox\purity\Program Files\Common Files\SEMBLY~1
C:\qoobox\purity\WINNT\MANTEC~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))


2007-04-13 09:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_410.dat
2007-04-12 19:42 123,972 --a------ C:\WINNT\system32\mqviipif.dll
2007-04-12 19:39 123,972 --a------ C:\WINNT\system32\bckhvgpw.dll
2007-04-12 19:11 123,972 --a------ C:\WINNT\system32\wadfsdfk.dll
2007-04-11 22:23 123,972 --a------ C:\WINNT\system32\sjkbauxj.dll
2007-04-11 16:48 26,694 --a------ C:\WINNT\system32\rqrqnol.dll
2007-04-11 16:33 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-04-11 16:33 53,248 --a------ C:\WINNT\system32\Process.exe
2007-04-11 16:33 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-04-11 16:33 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-04-11 16:33 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-04-11 16:33 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-04-11 16:33 1,596 --a------ C:\WINNT\system32\tmp.reg
2007-04-11 16:19 48,708 --a------ C:\WINNT\system32\ivemjqyb.dll
2007-04-11 15:18 26,694 --a------ C:\WINNT\system32\tuvwxwu.dll
2007-04-11 15:15 26,694 --a------ C:\WINNT\system32\pmnnnnl.dll
2007-04-11 14:15 26,694 --a------ C:\WINNT\system32\yaywttq.dll
2007-04-11 14:13 26,694 --a------ C:\WINNT\system32\vtustuv.dll
2007-04-11 13:18 26,694 --a------ C:\WINNT\system32\tuvvuvv.dll
2007-04-11 13:15 26,694 --a------ C:\WINNT\system32\wvuttuu.dll
2007-04-11 12:20 26,694 --a------ C:\WINNT\system32\khffeef.dll
2007-04-11 12:18 26,694 --a------ C:\WINNT\system32\iifcayv.dll
2007-04-11 11:15 26,694 --a------ C:\WINNT\system32\qomnoom.dll
2007-04-11 11:13 26,694 --a------ C:\WINNT\system32\nnnmmjj.dll
2007-04-11 10:03 26,694 --a------ C:\WINNT\system32\ssqpolk.dll
2007-04-11 10:00 26,694 --a------ C:\WINNT\system32\xxyabxu.dll
2007-04-11 08:45 26,694 --a------ C:\WINNT\system32\khfedbb.dll
2007-04-11 08:43 26,694 --a------ C:\WINNT\system32\gebbyvv.dll
2007-04-11 07:33 26,694 --a------ C:\WINNT\system32\ljjhiff.dll
2007-04-11 07:30 26,694 --a------ C:\WINNT\system32\ljjhhgg.dll
2007-04-11 07:03 26,694 --a------ C:\WINNT\system32\urqrrpp.dll
2007-04-11 05:40 26,694 --a------ C:\WINNT\system32\yayvwur.dll
2007-04-11 05:38 26,694 --a------ C:\WINNT\system32\awtuuvs.dll
2007-04-11 04:25 26,694 --a------ C:\WINNT\system32\mljgefc.dll
2007-04-11 04:23 26,694 --a------ C:\WINNT\system32\urqpnom.dll
2007-04-11 03:13 26,694 --a------ C:\WINNT\system32\efccyww.dll
2007-04-11 03:10 26,694 --a------ C:\WINNT\system32\ddcdccc.dll
2007-04-11 01:40 26,694 --a------ C:\WINNT\system32\ddcdaba.dll
2007-04-11 01:38 26,694 --a------ C:\WINNT\system32\cbxwuts.dll
2007-04-10 23:40 26,694 --a------ C:\WINNT\system32\ljjifff.dll
2007-04-10 23:37 26,694 --a------ C:\WINNT\system32\yayyaxu.dll
2007-04-10 21:17 26,694 --a------ C:\WINNT\system32\urqrqoo.dll
2007-04-10 21:15 26,694 --a------ C:\WINNT\system32\fccdcbb.dll
2007-04-10 19:23 26,694 --a------ C:\WINNT\system32\opnkkhf.dll
2007-04-10 19:06 26,694 --a------ C:\WINNT\system32\byxxwur.dll
2007-04-10 18:51 26,694 --a------ C:\WINNT\system32\ssqonol.dll
2007-04-10 18:30 26,694 --a------ C:\WINNT\system32\mljggfg.dll
2007-04-10 17:31 26,694 --a------ C:\WINNT\system32\ssqopop.dll
2007-04-10 17:31 189,952 --a------ C:\DOCUME~1\User\us.exe
2007-04-10 17:16 280,676 --a------ C:\WINNT\system32\mljij.dll
2007-04-10 17:16 280,676 ---hs---- C:\WINNT\system32\ljhgg.dll
2007-04-10 17:11 26,694 --a------ C:\WINNT\system32\xxywvtr.dll
2007-04-10 17:10 26,694 --a------ C:\WINNT\system32\iifdbyx.dll
2007-04-10 17:09 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-04-01 17:15 <DIR> d-------- C:\Program Files\iTunes
2007-04-01 17:15 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-12 18:59 -------- d-------- C:\DOCUME~1\User\APPLIC~1\utorrent
2007-04-10 17:10 -------- d-------- C:\Program Files\msn messenger
2007-04-09 04:21 -------- d-------- C:\Program Files\utorrent
2007-04-09 04:21 -------- d-------- C:\Program Files\daemon tools
2007-04-01 17:13 -------- d-------- C:\Program Files\quicktime alternative
2007-03-29 11:18 -------- d-------- C:\Program Files\winamp
2007-03-10 14:10 -------- d-------- C:\Program Files\winff
2007-03-10 02:13 10368 --a------ C:\WINNT\system32\drivers\pfc.sys
2007-02-26 08:21 -------- d--h----- C:\Program Files\installshield installation information
2007-02-26 08:20 -------- d-a------ C:\Program Files\panda software
2007-02-26 07:58 2 --a------ C:\WINNT\system32\wnsintcc.exe
2007-02-25 07:58 -------- d-------- C:\Program Files\java
2007-02-17 17:35 -------- d-------- C:\Program Files\guitar speed trainer


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroCheck"="C:\\WINNT\\system32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Fri 2007-04-13 9:43:05
C:\ComboFix-quarantined-files.txt ... 07-04-13 09:43

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 13 April 2007 - 02:22 PM

Hello there, good work so far! :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\ivemjqyb.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\system32\ssqpolk.dll
C:\WINNT\system32\xxyabxu.dll
C:\WINNT\system32\khfedbb.dll
C:\WINNT\system32\gebbyvv.dll
C:\WINNT\system32\ljjhiff.dll
C:\WINNT\system32\ljjhhgg.dll
C:\WINNT\system32\urqrrpp.dll
C:\WINNT\system32\yayvwur.dll
C:\WINNT\system32\awtuuvs.dll
C:\WINNT\system32\mljgefc.dll
C:\WINNT\system32\urqpnom.dll
C:\WINNT\system32\efccyww.dll
C:\WINNT\system32\ddcdccc.dll
C:\WINNT\system32\ddcdaba.dll
C:\WINNT\system32\cbxwuts.dll
C:\WINNT\system32\ljjifff.dll
C:\WINNT\system32\yayyaxu.dll
C:\WINNT\system32\urqrqoo.dll
C:\WINNT\system32\fccdcbb.dll
C:\WINNT\system32\opnkkhf.dll
C:\WINNT\system32\byxxwur.dll
C:\WINNT\system32\ssqonol.dll
C:\WINNT\system32\ssqonol.dll
C:\WINNT\system32\ssqopop.dll
C:\Documents and Settings\User\us.exe
C:\WINNT\system32\mljij.dll
C:\WINNT\system32\ljhgg.dll
C:\WINNT\system32\xxywvtr.dll
C:\WINNT\system32\iifdbyx.dll
C:\WINNT\system32\wnsintcc.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#14 sandro420

sandro420
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 14 April 2007 - 10:59 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:59:15 PM, on 4/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\avtask.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijackthis\showme.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134955647612
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 14, 2007 8:59:08 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/04/2007
Kaspersky Anti-Virus database records: 297190
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 74866
Number of viruses found: 8
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 02:18:21

Infected Object Name / Virus Name / Last Action
C:\!KillBox\us.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\cert8.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\dictionarytip\DictionaryTip.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\flashgot.log Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\history.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\key3.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\parent.lock Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\882jqktu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007041320070414\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\My Documents\download\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES\L07.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Documents and Settings\User\My Documents\download\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES.rar/L07.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Documents and Settings\User\My Documents\download\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES.rar RAR: infected - 1 skipped
C:\Documents and Settings\User\My Documents\download\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\My Documents\download\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\My Documents\download\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\My Documents\download\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\User\My Documents\programs\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\User\My Documents\programs\mirc616.exe mIRC: infected - 1 skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\infected\14PL5ODA.NQF Infected: Trojan-Downloader.Win32.VB.ann skipped
C:\Program Files\ESET\infected\I11SIRBA.NQF Infected: Trojan-Downloader.Win32.VB.ft skipped
C:\Program Files\ESET\infected\MWNVXYDA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.dm skipped
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\MSN Messenger\msnmsgr.exe Infected: Backdoor.Win32.MSNMaker.ag skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES2_3 Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES_3 Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINNT\system32\drivers\sptd.sys Object is locked skipped
C:\WINNT\system32\drivers\sptd9837.sys Object is locked skipped
C:\WINNT\system32\iifdbyx.dll Object is locked skipped
C:\WINNT\system32\mljij.dll Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 15 April 2007 - 03:36 AM

Ok, we've got a few more things to do.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please empty this folder:
C:\Program Files\ESET\infected

Please delete this infected crack:
C:\Documents and Settings\User\My Documents\download\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\system32\mljij.dll
C:\WINNT\system32\iifdbyx.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\Program Files\MSN Messenger\msnmsgr.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.
The Hijackthis log is looking clean, which is a great sign! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users