Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Still Infected?


  • This topic is locked This topic is locked
11 replies to this topic

#1 matthew_66

matthew_66

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2007 - 07:13 AM

Any help here would be greatly appreciated.I had discovered two infections on my computer through using spybot,(which were 'smitfraud' and 'abetterinternet') and I seem to have gotten rid of them by using various resources (i.e. smitfraudfix as well as running avg antispyware and then adaware followed by mcaffe stinger).

neither spybot,avg nor adaware detect any more threats on my computer now,and yet anytime I open internet explorer and go into tools to change my security settings to 'high',as soon as I close that window then re-open internet explorer to check my security settings again, sure enough,they have been set back to 'accept all cookies'.for the moment I am not experiencing any more pop ups,but after the ordeal I went through in the last two days trying to rid my computer of smitfraud and abetterinternet I want to be 110% positive there is no more malware in my system or registry.

I am not computer savvy in the least,but if anyone can please look at my hijack this log and make a recommendation,I would be eternally grateful.Oh btw,I am using Firefox as a browser now and have for the past two weeks.the only reason I keep checking my settings in i.e. is because before I ran mcaffe stinger which seems to have got rid of abetterinternet I would have internet explorer pop ups while I was browsing the internet with firefox! that is-an internet explorer would open itself through some external remote with advertisements for bogus spyware to *clean* my system.anyway here is my hijack this log.thank you again,and I apologize for the long-winded explanation,I've been up 16 hours straight working on this problem.

Logfile of HijackThis v1.99.1
Scan saved at 4:27:18 AM, on 7/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O1 - Hosts: 85.17.40.71 oink.me.uk
O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
O1 - Hosts: 85.17.40.70 irc.oink.me.uk
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\hskwbkwy.dll",forkonce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm265YYUS
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463867219
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463833626
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 04 July 2007 - 11:04 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum matthew_66 :thumbsup:

Find and delete:
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

============================

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

============================

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


============================

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 matthew_66

matthew_66
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2007 - 04:26 AM

Thanks for the speedy response RichieUK! I did everything you suggested.Here are the logs from vundofix,combofix,and abc.bat aka hijackthis. Thank You so much for all You are doing for me,it is greatly appreciated!I look forward to hearing from You again,sincerely Matthew. :D

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 12:33:25 AM 7/5/2007

Listing files found while scanning....

C:\windows\system32\acpupfjx.dll
C:\windows\system32\avrjsypk.ini
C:\windows\system32\aykhiqac.ini
C:\windows\system32\baifupko.ini
C:\WINDOWS\System32\biodsnox.dll
C:\windows\system32\caqihkya.dll
C:\windows\system32\cdbpaert.ini
C:\windows\system32\csixmnyr.ini
C:\windows\system32\dulvhpep.dll
C:\windows\system32\gmaswxkh.ini
C:\windows\system32\gpadxnot.dll
C:\windows\system32\hkxwsamg.dll
C:\windows\system32\horqjrls.ini
C:\windows\system32\hskwbkwy.dll
C:\windows\system32\ilmpeexs.dll
C:\windows\system32\iomfiqdl.dll
C:\windows\system32\jjkkj.bak1
C:\windows\system32\jjkkj.bak2
C:\windows\system32\jjkkj.ini
C:\windows\system32\jjkkj.ini2
C:\windows\system32\jjkkj.tmp
C:\WINDOWS\System32\jkkjj.dll
C:\windows\system32\koftiexl.ini
C:\windows\system32\kpysjrva.dll
C:\windows\system32\ldqifmoi.ini
C:\windows\system32\lgkkxumv.ini
C:\windows\system32\lihrjbap.ini
C:\windows\system32\lxeitfok.dll
C:\windows\system32\ohchrhdr.ini
C:\windows\system32\okpufiab.dll
C:\windows\system32\pabjrhil.dll
C:\windows\system32\pephvlud.ini
C:\windows\system32\qkugugmu.dll
C:\windows\system32\rdhrhcho.dll
C:\windows\system32\rpxdomtt.ini
C:\windows\system32\rynmxisc.dll
C:\windows\system32\sbaawruy.ini
C:\windows\system32\slrjqroh.dll
C:\windows\system32\sxeepmli.ini
C:\windows\system32\tonxdapg.ini
C:\WINDOWS\System32\treapbdc.dll
C:\windows\system32\ttmodxpr.dll
C:\windows\system32\umgugukq.ini
C:\windows\system32\vmuxkkgl.dll
C:\windows\system32\xjfpupca.ini
C:\windows\system32\yurwaabs.dll
C:\windows\system32\ywkbwksh.ini

Beginning removal...

Attempting to delete C:\windows\system32\acpupfjx.dll
C:\windows\system32\acpupfjx.dll Has been deleted!

Attempting to delete C:\windows\system32\avrjsypk.ini
C:\windows\system32\avrjsypk.ini Has been deleted!

Attempting to delete C:\windows\system32\aykhiqac.ini
C:\windows\system32\aykhiqac.ini Has been deleted!

Attempting to delete C:\windows\system32\baifupko.ini
C:\windows\system32\baifupko.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\biodsnox.dll
C:\WINDOWS\System32\biodsnox.dll Has been deleted!

Attempting to delete C:\windows\system32\caqihkya.dll
C:\windows\system32\caqihkya.dll Has been deleted!

Attempting to delete C:\windows\system32\cdbpaert.ini
C:\windows\system32\cdbpaert.ini Has been deleted!

Attempting to delete C:\windows\system32\csixmnyr.ini
C:\windows\system32\csixmnyr.ini Has been deleted!

Attempting to delete C:\windows\system32\dulvhpep.dll
C:\windows\system32\dulvhpep.dll Has been deleted!

Attempting to delete C:\windows\system32\gmaswxkh.ini
C:\windows\system32\gmaswxkh.ini Has been deleted!

Attempting to delete C:\windows\system32\gpadxnot.dll
C:\windows\system32\gpadxnot.dll Has been deleted!

Attempting to delete C:\windows\system32\hkxwsamg.dll
C:\windows\system32\hkxwsamg.dll Has been deleted!

Attempting to delete C:\windows\system32\horqjrls.ini
C:\windows\system32\horqjrls.ini Has been deleted!

Attempting to delete C:\windows\system32\hskwbkwy.dll
C:\windows\system32\hskwbkwy.dll Has been deleted!

Attempting to delete C:\windows\system32\ilmpeexs.dll
C:\windows\system32\ilmpeexs.dll Has been deleted!

Attempting to delete C:\windows\system32\iomfiqdl.dll
C:\windows\system32\iomfiqdl.dll Has been deleted!

Attempting to delete C:\windows\system32\jjkkj.bak1
C:\windows\system32\jjkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\jjkkj.bak2
C:\windows\system32\jjkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\jjkkj.ini
C:\windows\system32\jjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\jjkkj.ini2
C:\windows\system32\jjkkj.ini2 Has been deleted!

Attempting to delete C:\windows\system32\jjkkj.tmp
C:\windows\system32\jjkkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\System32\jkkjj.dll
C:\WINDOWS\System32\jkkjj.dll Has been deleted!

Attempting to delete C:\windows\system32\koftiexl.ini
C:\windows\system32\koftiexl.ini Has been deleted!

Attempting to delete C:\windows\system32\kpysjrva.dll
C:\windows\system32\kpysjrva.dll Has been deleted!

Attempting to delete C:\windows\system32\ldqifmoi.ini
C:\windows\system32\ldqifmoi.ini Has been deleted!

Attempting to delete C:\windows\system32\lgkkxumv.ini
C:\windows\system32\lgkkxumv.ini Has been deleted!

Attempting to delete C:\windows\system32\lihrjbap.ini
C:\windows\system32\lihrjbap.ini Has been deleted!

Attempting to delete C:\windows\system32\lxeitfok.dll
C:\windows\system32\lxeitfok.dll Has been deleted!

Attempting to delete C:\windows\system32\ohchrhdr.ini
C:\windows\system32\ohchrhdr.ini Has been deleted!

Attempting to delete C:\windows\system32\okpufiab.dll
C:\windows\system32\okpufiab.dll Has been deleted!

Attempting to delete C:\windows\system32\pabjrhil.dll
C:\windows\system32\pabjrhil.dll Has been deleted!

Attempting to delete C:\windows\system32\pephvlud.ini
C:\windows\system32\pephvlud.ini Has been deleted!

Attempting to delete C:\windows\system32\qkugugmu.dll
C:\windows\system32\qkugugmu.dll Has been deleted!

Attempting to delete C:\windows\system32\rdhrhcho.dll
C:\windows\system32\rdhrhcho.dll Has been deleted!

Attempting to delete C:\windows\system32\rpxdomtt.ini
C:\windows\system32\rpxdomtt.ini Has been deleted!

Attempting to delete C:\windows\system32\rynmxisc.dll
C:\windows\system32\rynmxisc.dll Has been deleted!

Attempting to delete C:\windows\system32\sbaawruy.ini
C:\windows\system32\sbaawruy.ini Has been deleted!

Attempting to delete C:\windows\system32\slrjqroh.dll
C:\windows\system32\slrjqroh.dll Has been deleted!

Attempting to delete C:\windows\system32\sxeepmli.ini
C:\windows\system32\sxeepmli.ini Has been deleted!

Attempting to delete C:\windows\system32\tonxdapg.ini
C:\windows\system32\tonxdapg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\treapbdc.dll
C:\WINDOWS\System32\treapbdc.dll Has been deleted!

Attempting to delete C:\windows\system32\ttmodxpr.dll
C:\windows\system32\ttmodxpr.dll Has been deleted!

Attempting to delete C:\windows\system32\umgugukq.ini
C:\windows\system32\umgugukq.ini Has been deleted!

Attempting to delete C:\windows\system32\vmuxkkgl.dll
C:\windows\system32\vmuxkkgl.dll Has been deleted!

Attempting to delete C:\windows\system32\xjfpupca.ini
C:\windows\system32\xjfpupca.ini Has been deleted!

Attempting to delete C:\windows\system32\yurwaabs.dll
C:\windows\system32\yurwaabs.dll Has been deleted!

Attempting to delete C:\windows\system32\ywkbwksh.ini
C:\windows\system32\ywkbwksh.ini Has been deleted!

Performing Repairs to the registry.
Done!



"Owner" - 2007-07-05 1:14:04 - ComboFix 07-07-05


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
C:\Program Files\Common Files\stem~1
C:\Program Files\TTC.dll
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnscpicomsv32.exe
C:\WINDOWS\wr.txt
C:\WINDOWS\xmlhelper.dll
C:\WINDOWS\xmlhelper2.dll


((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


2007-07-05 01:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 00:33 <DIR> d-------- C:\VundoFix Backups
2007-07-04 08:37 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-07-04 08:37 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-07-04 08:37 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-04 08:37 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-07-04 08:37 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-07-04 08:37 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-07-04 08:37 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-07-04 08:37 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-07-04 08:37 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-07-04 08:37 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-07-04 08:37 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-07-04 08:37 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-07-04 08:37 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-07-04 08:37 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-07-04 08:37 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-07-04 08:37 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-07-04 08:36 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-07-04 08:36 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-07-04 03:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-03 18:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-03 18:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-03 13:38 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-03 13:38 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-03 13:38 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-03 13:38 2,170 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-03 13:18 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 12:58 495,616 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-03 07:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 07:12 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-07-02 23:21 498,960 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-07-02 23:21 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-07-02 23:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-07-02 23:10 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-07-02 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-02 22:19 <DIR> d-------- C:\WINDOWS\EHome
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 01:07 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-29 12:08 122,880 --a------ C:\WINDOWS\xmlhelper4.dll
2007-06-24 19:48 <DIR> d-------- C:\DOCUME~1\FIB\APPLIC~1\AdobeUM
2007-06-22 07:52 <DIR> d-------- C:\Program Files\NetConceal Anonymizer
2007-06-19 06:20 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-19 06:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-18 22:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-18 18:52 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 07:48:21 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-04 18:00:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-07-02 20:20:09 -------- d-----w C:\Program Files\Soulseek
2007-06-26 19:55:21 -------- d-----w C:\Program Files\All Sound Recorder XP
2007-06-01 00:28:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-05-30 23:41:34 -------- d-----w C:\Program Files\Norton 360
2007-05-30 22:54:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-05-30 13:31:52 -------- d-----w C:\Program Files\Symantec
2007-05-30 13:31:51 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-30 13:31:51 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-30 12:54:25 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-30 12:03:29 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-05-28 17:49:32 -------- d-----w C:\Program Files\Canon
2007-05-28 17:29:54 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-28 17:29:49 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-28 17:29:16 921 ----a-w C:\WINDOWS\QSFVExit.bat
2007-05-17 15:13:33 -------- d-----w C:\Program Files\QuickTime
2007-05-07 09:31:10 -------- d-----w C:\Program Files\foobar2000
2007-04-24 01:42:58 12,496 ----a-w C:\WINDOWS\MSPuzzle.dat
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-13 23:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}]
2006-05-14 13:25 127066 --a------ C:\Program Files\NetConceal Anonymizer\ProxyNew.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2007-02-18 20:22 97960 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2004-05-11 23:03 744960 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5836AA40-CB42-4998-83C0-E8C9E54C4CAE}]
C:\WINDOWS\System32\jkkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-07-02 04:23 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2001-12-04 10:07 C:\WINDOWS\GWMDMMSG.exe]
"WMC_AutoUpdate"="" []
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2005-10-07 20:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 05:14]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 06:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 04:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtttss]
awtttss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

*Newly Created Service* - COMHOST

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 01:23:16
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 1:24:16
C:\ComboFix-quarantined-files.txt ... 2007-07-05 01:23

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 2:12:38 AM, on 7/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\abc.bat.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O1 - Hosts: 85.17.40.71 oink.me.uk
O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
O1 - Hosts: 85.17.40.70 irc.oink.me.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal Anonymizer\ProxyNew.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5836AA40-CB42-4998-83C0-E8C9E54C4CAE} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm265YYUS
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463867219
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463833626
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O20 - Winlogon Notify: awtttss - awtttss.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 05 July 2007 - 06:09 AM

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

================================

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {5836AA40-CB42-4998-83C0-E8C9E54C4CAE} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm265YYUS
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O20 - Winlogon Notify: awtttss - awtttss.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 matthew_66

matthew_66
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2007 - 11:14 AM

RichieUK You ROCK!!! :thumbsup: I mean it,You are my personal HERO! I cannot thank you enough.

After following the instructions in your first response,I ran spybot and got a clean bill of health,and let me tell you,I was ecstatic!!! (and still am for that matter),but I am also glad you sent me another response (which I also followed all the instructions of), because after running SUPERAntiSpyware I found out my computer was anything BUT virus-free and that Spybot had missed *a couple* of things,in fact S.A.V.S. found 66 more threats!!! (which I immediately quarantined and deleted once the scan had completed). So this time, I am hoping my computer really is virus free (it certainly runs like it is,in fact it performs better now than it has in literally years).I am just so very grateful to you and the entire bleepingcomputer.com community.

Also,I wanted to ask you (if this is the right place to do so that is, - if not I can post this question in another forum),but,I think that I contracted these viruses by not updating windows (See I didn't want Service Pack 2 at the time (because I'd heard and read some bad things about it),but stupid me,I didn't realize that,DUH! there were other updates besides SP2,i.e. Window Virus Definition Updates etc..)so my question is - Is it safe to install service pack 2 once I am certain there are no viruses on my computer? (I read that to install windows service pack 2 while there are still viruses on your computer can have devastating effects such as not allowing your computer to even start) and,honestly I'm still not sure I want service pack 2,though every time I start my computer I get the message stating 'this version of windows is no longer safe,install service pack 2 now for protection).Thank You once again for all your time and patience and especially for all your help.I mean,I was ready to wipe the computers hard drive and begin from scratch before I discovered this forum,and now I am so glad I didn't resort to that.Sincerely,Matthew.

here are the logs from both SUPERAntiSpyware and HijackThis.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2007 at 08:20 AM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 01:22:31

Memory items scanned : 374
Memory threats detected : 0
Registry items scanned : 4459
Registry threats detected : 10
File items scanned : 30231
File threats detected : 57

Adware.Agent-XMLHelp
HKLM\Software\Classes\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}#AppID
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32#ThreadingModel
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\ProgID
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\Programmable
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\TypeLib
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\VersionIndependentProgID
C:\WINDOWS\XHELPER.DLL
C:\WINDOWS\XMLHELPER4.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt
C:\Documents and Settings\FIB\Cookies\fib@ads.adbrite[2].txt
C:\Documents and Settings\FIB\Cookies\fib@cpvfeed[2].txt
C:\Documents and Settings\FIB\Cookies\fib@interclick[1].txt
C:\Documents and Settings\FIB\Cookies\fib@sec1.liveperson[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@3.adbrite[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@ad.creafi[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@ad.scanmedios[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@ad.thewheelof[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@ads.adbrite[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@adultfriendfinder[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@askiacsearchmedia[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@atwola[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@azjmp[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@burstnet[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@centralmediaserver[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@countercentral[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@cpvfeed[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@data1.perf.overture[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@data2.perf.overture[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@data3.perf.overture[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@deg10204.freestats[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@eas.apm.emediate[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@eval.bizrate[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@fishermansexpress[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@h.starware[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@i.screensavers[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@icc.intellisrv[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@interclick[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@jkearn.freestats[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@kanoodle[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@login.tracking101[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@lynxtrack[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@masternewmedia[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@mediaonenetwork[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@nbads[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@nextag[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@optimost[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@pt.crossmediaservices[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@sec1.liveperson[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@smileycentral[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@stats.erau[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@superstats[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@tracking.foxnews[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@vhost.oddcast[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@windowsmedia[2].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@www.dealtime[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@www.windowsmedia[1].txt
C:\Documents and Settings\MeanMomma\Cookies\meanmomma@xiti[1].txt

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TTC.DLL.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE.VIR

Trojan.Rootkit-TnCore/Installer
C:\WINDOWS\SYSTEM32\F4\WEN2.EXE

Adware.WebBuying-Installer
C:\WINDOWS\SYSTEM32\F5\WBB22.EXE

Logfile of HijackThis v1.99.1
Scan saved at 8:34:29 AM, on 7/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\abc.bat.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal Anonymizer\ProxyNew.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463867219
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463833626
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 05 July 2007 - 12:53 PM

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.
Posted Image
Posted Image

#7 matthew_66

matthew_66
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2007 - 05:17 PM

Hi RichieUK,okay here below are the results of the Bit Defender scan.and I did remember to turn Norton Anti-Virus back on after the scan finished.(Norton 360 is what I am currently using for an anti-virus and firewall ,any suggestions for a better full time anti virus and firewall protection are welcome as I am unhappy with Norton 360 and have been long before becoming infected).

My computer still seems to be running fine and although I had one pop up (before running Bit Defender~the dreaded and frequent 'Drivecleaner' advertisement) I have not had any other problems,although before running Bit Defender I noticed that the longer I had been online the slower my computer seemed to go,and I wondered if that wasn't because I had SUPERAntiSpyware running at the same time as Norton 360..?Again,all of Your help is greatly appreciated.-Matthew.

BitDefender Online Scanner







Scan report generated at: Thu, Jul 05, 2007 - 13:56:02









Scan path: A:\;C:\;D:\;















Statistics

Time


01:59:36

Files


196451

Folders


4709

Boot Sectors


2

Archives


10537

Packed Files


5202







Results

Identified Viruses


5

Infected Files


5

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


5







Engines Info

Virus Definitions


637159

Engine build


AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Program Files\folder.js


Detected with: Adware.TTC.B

C:\Program Files\folder.js


Disinfection failed

C:\Program Files\folder.js


Deleted

C:\QooBox\Quarantine\C\WINDOWS\xmlhelper.dll.vir


Infected with: Trojan.BHO.BT

C:\QooBox\Quarantine\C\WINDOWS\xmlhelper.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\xmlhelper.dll.vir


Deleted

C:\VundoFix Backups\biodsnox.dll.bad


Infected with: Trojan.Juan.H

C:\VundoFix Backups\biodsnox.dll.bad


Disinfection failed

C:\VundoFix Backups\biodsnox.dll.bad


Deleted

C:\VundoFix Backups\jkkjj.dll.bad


Infected with: DeepScan:Generic.Virtumonde1.ge.2916345A

C:\VundoFix Backups\jkkjj.dll.bad


Disinfection failed

C:\VundoFix Backups\jkkjj.dll.bad


Deleted

C:\WINDOWS\system32\F2\mwspasrt83122.exe


Infected with: Dropped:Trojan.Downloader.Adload.NCJ

C:\WINDOWS\system32\F2\mwspasrt83122.exe


Disinfection failed

C:\WINDOWS\system32\F2\mwspasrt83122.exe


Deleted

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 05 July 2007 - 05:30 PM

Please download rr-free-setup.exe (by RubbeR DuckY),save the file to your desktop:
http://www.malwarebytes.org/rr-update/rr-free-setup.exe

Double-click rr-free-setup.exe.
RogueRemover will now be installed - OK the installation prompts.
Once it has successfully been installed,click Check for updates,download/install any updates.

Now click Scan.
RogueRemover will now scan your computer for any rogue programs.
Once it has finished click Remove Selected if it finds any.
Please allow RogueRemover to submit the statistical data.

====================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log.
Let me know whats happening now.
Posted Image
Posted Image

#9 matthew_66

matthew_66
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 July 2007 - 02:11 AM

Okay,I have installed and run both programs,and I came up clean on Rogue Remover,then I downloaded Dr-Web-Cureit and scanned in safemode.The first time I scanned,I thought I had accidentally stopped the scan (though in retrospect I believe it had finished),so anyway I scanned my computer once again.then after that was finished I generated the report list.I even scanned a third time,just to be absolutely certain,and on the third scan there were NO viruses whatsoever,and hence I could not generate a report that time as there was nothing to report,so here is the Dr-Web-Cureit report for the second scan followed by a new hijack this log.My computer seems to be running wonderfully and I haven't had any recent pop ups.I know I keep saying this,but I really am so very grateful for all your time,effort and expertise help.Thank You once again -Matthew

Process.exe;C:\Documents and Settings\FIB\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\FIB\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
tmp3;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Virtumod;Deleted.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
xmlhelper2.dll.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.DownLoader.24253;Deleted.;
acpupfjx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
caqihkya.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
dulvhpep.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
gpadxnot.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hkxwsamg.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hskwbkwy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ilmpeexs.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
iomfiqdl.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
kpysjrva.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
lxeitfok.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
okpufiab.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pabjrhil.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
qkugugmu.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rdhrhcho.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rynmxisc.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
slrjqroh.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
treapbdc.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ttmodxpr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vmuxkkgl.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
yurwaabs.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
626wr.exe;C:\WINDOWS\system32\F3;Trojan.DownLoader.25802;Deleted.;
Process.exe;C:\Documents and Settings\FIB\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\FIB\Desktop\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;


Logfile of HijackThis v1.99.1
Scan saved at 12:10:18 AM, on 7/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\abc.bat.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal Anonymizer\ProxyNew.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463867219
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136463833626
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 06 July 2007 - 08:24 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

==============================

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix.exe


C:\VundoFix Backups
C:\QOOBOX

==============================

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

==============================

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

==============================

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 matthew_66

matthew_66
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 July 2007 - 05:41 PM

Thank You so very much RichieUK I followed all the instructions from your last response,and my computer is still running 100% top notch,in fact- better than it was before it caught these viruses ~ seriously! You truly are a Malware Assassin!

Thanks also for including miekiemoes 'how to prevent malware'.I will be committing it to memory,as I never want to encounter another virus like this ever again.I only wish I had the words to express all the gratitude I feel for you and the staff of bleepingcomputer.com.You've not only restored my computer,but my faith in the overall good nature of the human race,and that is real! Sincerely,Matthew_66

Edited by matthew_66, 06 July 2007 - 05:44 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 July 2007 - 04:00 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users