Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Koseyboy

Koseyboy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:08:49 AM

Posted 07 June 2007 - 03:43 AM

Hi there,

Hopefully one of you guys or gals can help me remove this pesky malware.
Here is my Hijackthis logfile. I haven't been having any pop-ups while browsing the net
for a few days now, but I know the infection is still there.
Thanks for your help and I look forward to your reply.

Regards

Koseyboy

Logfile of HijackThis v1.99.1
Scan saved at 09:11, on 2007-06-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINNT\explorer.exe
C:\Program Files\Spyware Removal Tools\VundoFix.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AutoCAD 2006\aclt.exe
C:\DOCUME~1\Haden\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Spyware Removal Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - (no file)
O2 - BHO: (no name) - {A6291EA0-7EEA-4B49-B38B-35829EDB91AB} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = okeeffearch.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll,c:\progra~1\google\google~2\goec62~1.dll
O20 - Winlogon Notify: fccywvu - C:\WINNT\
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winmiu32 - C:\WINNT\
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 June 2007 - 07:32 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Koseyboy :thumbsup:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

***************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Koseyboy

Koseyboy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:08:49 AM

Posted 07 June 2007 - 08:40 AM

Thanks for the response Richie.

Here are the logs you requested...didn't find or delete anything from either scan...

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 14:09:20 2007-06-07

Listing files found while scanning....

No infected files were found.


Beginning removal...



Combofix log...

"Haden" - 07/06/2007 8:51:50 Service Pack 4
ComboFix 07-06-3B - Running from: "C:\Program Files\Spyware Removal Tools\"


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 08:46 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_67c.dat
2007-06-06 15:50 <DIR> d-------- C:\Program Files\Photo-Screensavers.com
2007-06-06 13:21 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-06 13:17 <DIR> d---s---- C:\DOCUME~1\Haden\UserData
2007-06-06 12:33 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\ArcSoft
2007-06-06 10:40 0 --a------ C:\WINNT\SYSTEM32\vtuts.dll
2007-06-06 10:28 <DIR> d-------- C:\Program Files\Prevx2
2007-06-06 10:28 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Prevx
2007-06-06 10:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-06-06 09:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-06 09:13 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Tenebril
2007-06-06 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-06-06 09:08 180,224 --a------ C:\WINNT\SYSTEM32\archlib.dll
2007-06-06 09:08 <DIR> d-------- C:\WINNT\SYSTEM32\tenarchlib
2007-06-05 23:32 679,951 --a------ C:\WINNT\SYSTEM32\nqtwa.bak1
2007-06-05 14:58 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\AdobeUM
2007-06-05 09:48 <DIR> d-------- C:\Program Files\Spyware Removal Tools
2007-06-05 09:22 16,384 --a------ C:\WINNT\SYSTEM32\Perflib_Perfdata_6a0.dat
2007-06-05 08:52 53,248 --a------ C:\WINNT\SYSTEM32\Process.exe
2007-06-05 08:52 51,200 --a------ C:\WINNT\SYSTEM32\dumphive.exe
2007-06-05 08:52 288,417 --a------ C:\WINNT\SYSTEM32\SrchSTS.exe
2007-06-05 08:45 684,515 --a------ C:\WINNT\SYSTEM32\fhhkj.bak2
2007-06-01 18:10 8,192 --a------ C:\ntuser.dat
2007-06-01 17:52 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Lavasoft
2007-06-01 17:42 <DIR> d-------- C:\Program Files\Ultimate Fixer
2007-06-01 17:36 <DIR> d-------- C:\Program Files\Firefox
2007-06-01 15:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-01 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-01 14:51 684,515 --a------ C:\WINNT\SYSTEM32\fhhkj.bak1
2007-06-01 14:51 263,220 --a------ C:\WINNT\SYSTEM32\jkhhf.dll.vir
2007-05-31 17:27 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Google
2007-05-25 17:28 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Ahead
2007-05-25 17:22 82,432 --a------ C:\WINNT\SYSTEM32\drmstor.dll
2007-05-25 17:22 301,712 --a------ C:\WINNT\SYSTEM32\drmclien.dll
2007-05-25 09:31 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2007-05-25 09:15 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\ACD Systems
2007-05-25 09:00 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Real
2007-05-25 08:54 <DIR> d--h----- C:\WINNT\PIF
2007-05-24 14:51 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Skype
2007-05-24 10:57 <DIR> d-------- C:\Program Files\Desktop Backgrounds
2007-05-24 10:40 <DIR> d-------- C:\Program Files\Icons
2007-05-24 10:36 16,384 --a------ C:\WINNT\SYSTEM32\Perflib_Perfdata_1ac.dat
2007-05-23 13:47 <DIR> d-------- C:\DOCUME~1\Haden\log
2007-05-23 13:34 3,532 --a------ C:\WINNT\SYSTEM32\tmp.reg
2007-05-23 13:25 77,312 --a------ C:\WINNT\ua2.dll
2007-05-23 13:20 <DIR> d-------- C:\WINNT\Content.IE5
2007-05-23 12:26 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Autodesk
2007-05-23 12:23 <DIR> d-------- C:\quarantine
2007-05-23 12:17 <DIR> d-------- C:\Google Desktop Data
2007-05-23 12:16 1,220,608 --ah----- C:\DOCUME~1\Haden\NTUSER.DAT
2007-05-23 12:16 <DIR> d-------- C:\DOCUME~1\Haden\APPLIC~1\Help
2007-05-23 10:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-21 08:54 <DIR> d-------- C:\DOCUME~1\Deirdre\APPLIC~1\ArcSoft
2007-05-11 13:33 <DIR> d-------- C:\Program Files\Skype
2007-05-11 13:33 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-11 13:33 <DIR> d-------- C:\DOCUME~1\Deirdre\APPLIC~1\Skype
2007-05-11 13:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 14:50:46 313,921 ----a-w C:\WINNT\system32\etnz.scr
2007-04-13 16:55:38 -------- d-----w C:\Program Files\Lavasoft
2007-04-13 16:55:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [22/10/06 23:08 ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}=C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [07/05/07 10:32 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [31/05/05 01:04 ]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [10/01/06 12:09 ]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [22/10/06 23:20 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"POINTER"="point32.exe" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [21/09/00 14:34 ]
"SxgTkBar"="SxgTkBar.exe" [10/04/00 08:10 C:\WINNT\SYSTEM32\sxgtkbar.exe]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [29/06/00 03:01 ]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/04 08:00 ]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/03 09:48 ]
"nwiz"="nwiz.exe" [28/07/03 15:19 C:\WINNT\SYSTEM32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/05 23:46 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [17/05/07 08:47 ]
"RegistryMechanic"="" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22/10/06 23:24 ]
"@"="" []
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [03/06/07 15:59 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccywvu]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmiu32]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll,c:\progra~1\google\google~2\goec62~1.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:55:49
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/06/2007 8:59:51

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 14:25, on 2007-06-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spyware Removal Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - (no file)
O2 - BHO: (no name) - {A6291EA0-7EEA-4B49-B38B-35829EDB91AB} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = okeeffearch.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll,c:\progra~1\google\google~2\goec62~1.dll
O20 - Winlogon Notify: fccywvu - C:\WINNT\
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winmiu32 - C:\WINNT\
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 June 2007 - 08:58 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINNT\SYSTEM32\vtuts.dll
C:\WINNT\SYSTEM32\nqtwa.bak1
C:\WINNT\SYSTEM32\fhhkj.bak2
C:\WINNT\SYSTEM32\fhhkj.bak1
C:\WINNT\SYSTEM32\jkhhf.dll.vir

Folders to delete:
C:\Program Files\Ultimate Fixer

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@="Driver"

*****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - (no file)
O2 - BHO: (no name) - {A6291EA0-7EEA-4B49-B38B-35829EDB91AB} - (no file)
O20 - Winlogon Notify: fccywvu - C:\WINNT\
O20 - Winlogon Notify: winmiu32 - C:\WINNT\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the Avenger output.txt,the AVG Anti Spyware report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#5 Koseyboy

Koseyboy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:08:49 AM

Posted 07 June 2007 - 09:59 AM

Thanks again Richie.

Here are my log files...
AVG wouldn't run in Safe mode. I'm running it now in normal mode and so far after 180,000 files it's found 1 object 'Adware.KeenValue' - I spoke too soon - now has 71 objects - all tracking cookies by the looks. Will post scan log when it is complete.
My computer seems to be running ok - a few years old so am used to it's slower speed :thumbsup:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fblfjsvh

*******************

Script file located at: \??\C:\Documents and Settings\ptikckl^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\SYSTEM32\vtuts.dll deleted successfully.
File C:\WINNT\SYSTEM32\nqtwa.bak1 deleted successfully.
File C:\WINNT\SYSTEM32\fhhkj.bak2 deleted successfully.
File C:\WINNT\SYSTEM32\fhhkj.bak1 deleted successfully.
File C:\WINNT\SYSTEM32\jkhhf.dll.vir deleted successfully.
Folder C:\Program Files\Ultimate Fixer deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 15:18, on 2007-06-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Removal Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = okeeffearch.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll,c:\progra~1\google\google~2\goec62~1.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

Edited by Koseyboy, 07 June 2007 - 10:01 AM.


#6 Koseyboy

Koseyboy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:08:49 AM

Posted 07 June 2007 - 10:37 AM

Here is my AVG Spyware report. Everything seems ok now. Do I have anything else to do?
Thanks for your help - you've really saved me.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 16:27 2007-06-07

+ Scan result:



HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.204:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.71i : Cleaned.
:mozilla.252:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.36:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.37:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.29:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Co : Cleaned.
:mozilla.76:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.77:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.79:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.88:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.101:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.102:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.103:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.104:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.105:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.106:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.107:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.44:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.45:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.46:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.47:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.48:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.49:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.50:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.51:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.377:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.176:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.177:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.272:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.183:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.189:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.270:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.233:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.234:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.237:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.408:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.9:C:\Documents and Settings\Haden\Application Data\Mozilla\Firefox\Profiles\v1613362.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.240:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Popularix : Cleaned.
:mozilla.242:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.243:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.32:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Quarterserver : Cleaned.
:mozilla.244:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.246:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.247:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.249:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.250:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.251:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.274:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.275:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.276:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.277:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.278:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.71:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.180:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.86:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.87:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.302:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficcenter : Cleaned.
:mozilla.303:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficcenter : Cleaned.
:mozilla.304:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficcenter : Cleaned.
:mozilla.305:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficcenter : Cleaned.
:mozilla.306:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficcenter : Cleaned.
:mozilla.307:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.308:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.309:C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 June 2007 - 10:46 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix

C:\Vundofix Backups
C:\QooBox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

----------------------------

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#8 Koseyboy

Koseyboy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:08:49 AM

Posted 07 June 2007 - 11:19 AM

All's good thanks Richie. I'm stoked with your help in solving my problem. Will definitely be more carefull from now on. Cheers mate.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 June 2007 - 11:43 AM

You're welcome :thumbsup:

Since your problem appears to be resolved,this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users