Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Pop Ups After Ie6 Start


  • Please log in to reply
5 replies to this topic

#1 BMWCRAIG

BMWCRAIG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 10 July 2007 - 02:44 PM

I have multiple pop ups that appear whenever I connect to the internet. I have a always on connection but lately with all the pop ups I just pull the ethernet cable out of the socket. After installing the sygate firewall I can block IE6 access. I have wiped out as many viruses as I could find. I ran AVG, Ad Aware , Spybot untill no more viruses were found. Ran my Hijack this and now here is the log.

You will see a program called Tomcat, that is file that is needed to run one of my programs.

Thank you for whatever help you can provide.

When I ran spybot S&D I found these

Virtumonde
Web buying asst
Smitfraud-c.
Smitfraud-c.Coreservice
Win32agent.baf

I have avg running and it has found

Obfustat.NV
Backdoor.Generic3.LJS,
Backdoor.Generic6.UON
"" ".CBO
" "7.GTL
" "7.MWM
Dropper.Agent.EDZ
Proxy.PHC
Generic5.CRH
Generic3.UNS
Downloader.Generic4.YHW
Downloader.Generic4.WSP
Lop.CH
SHeur.QN
Proxy.PAM
Downloader.Generic4.VXM
_______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:39:32 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\Program Files\EWA net\database\TransBase

EPC\tbkern32.exe
C:\Program Files\EWA net\database\TransBase

EWA\tbkern32.exe
C:\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe

C:\WINDOWS\system32\msdun.exe
O1 - Hosts: 12.44.59.46 ppa-extra.ndc.daimlerchrysler.com
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService]

C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [icq.com] rundll32.exe

"C:\WINDOWS\system32\sgksqudd.dll",forkonce
O4 - HKCU\..\Run: [autoload]

C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\CRAIG

BISHOP\svchost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvS

niff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows

Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/download/scanner/

wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec

RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin

/cabsa.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D}

(AxisMediaControl Class) -

http://205.232.177.18/activex/AMC.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{A0D11A36-D587-4D53-BB74-

3333D6A4CA7D}: NameServer = 198.6.1.122,198.6.1.142
O23 - Service: Ad-Aware 2007 Service (aawservice) -

Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EWA net DB Core - Transaction Software, D

81737 Munich - C:\Program Files\EWA net\database\TransBase

EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D

81737 Munich - C:\Program Files\EWA net\database\TransBase

EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D

81737 Munich - C:\Program Files\EWA net\database\TransBase

WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software

Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: Sygate Personal Firewall (SmcService) -

Sygate Technologies, Inc. - C:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: Transbase - Transaction Software, D 81737

Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 July 2007 - 04:24 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum BMWCRAIG :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

-------------------------------

Please move HijackThis to its own folder on the hard drive such as C:\HJT.
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

-------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-------------------------------

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 BMWCRAIG

BMWCRAIG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 11 July 2007 - 09:22 AM

Ok, I ran Vundo fix and Combofix. I had some problems with spybot not letting the registry entries change. so I removed spybot and ran both programs again. So I will include both log files of Combofix.

Combofix Run #1
- 2007-07-11 9:05:37 - ComboFix 07-07-10.5 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\ssembl~1
C:\WINDOWS\dobe~1
C:\WINDOWS\DOWNLO~1\UERS_9999_N91S1502NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\ie-hook.txt
C:\WINDOWS\system32\advvpi32.dll
C:\WINDOWS\system32\KB10560986.exe
C:\WINDOWS\system32\KB76775265.exe
C:\WINDOWS\system32\KB93736873.exe
C:\WINDOWS\system32\ksl48.bin
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\o08PrEz
C:\WINDOWS\system32\pltlmos.dll
C:\WINDOWS\system32\rfgeny.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnscpicomsv32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_KYCK58
-------\LEGACY_NTIO256
-------\LEGACY_WINDBG48
-------\ntio256
-------\RpcApi
-------\windbg48


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 09:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-11 08:24 <DIR> d-------- C:\VundoFix Backups
2007-07-11 08:10 <DIR> d-------- C:\hjt
2007-07-11 08:05 66,112 --a------ C:\WINDOWS\system32\jsjevepy.exe
2007-07-10 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-10 10:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-10 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-10 09:23 <DIR> d-------- C:\backups
2007-07-10 08:01 165,376 --a------ C:\WINDOWS\system32\drivers\Kyck58.sys
2007-07-07 11:35 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-07 11:35 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-07 11:34 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-07 11:34 <DIR> d-------- C:\Program Files\Sygate
2007-07-07 11:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X9
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X5
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X4
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X3
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X2
2007-07-07 09:19 38,912 --a------ C:\WINDOWS\system32\msdun.dll
2007-07-07 09:19 31,430 --a------ C:\WINDOWS\system32\msdun.exe
2007-06-14 11:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

Combofix Run # 2

- 2007-07-11 10:09:28 - ComboFix 07-07-10.5 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 09:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-11 08:24 <DIR> d-------- C:\VundoFix Backups
2007-07-11 08:10 <DIR> d-------- C:\hjt
2007-07-11 08:05 66,112 --a------ C:\WINDOWS\system32\jsjevepy.exe
2007-07-10 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-10 10:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-10 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-10 09:23 <DIR> d-------- C:\backups
2007-07-07 11:35 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-07 11:35 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-07 11:35 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-07 11:34 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-07 11:34 <DIR> d-------- C:\Program Files\Sygate
2007-07-07 11:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X9
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X5
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X4
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X3
2007-07-07 09:24 <DIR> d-------- C:\WINDOWS\system32\X2
2007-07-07 09:19 38,912 --a------ C:\WINDOWS\system32\msdun.dll
2007-07-07 09:19 31,430 --a------ C:\WINDOWS\system32\msdun.exe
2007-06-14 11:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-10 15:25:44 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-19 15:53:08 -------- d-----w C:\Program Files\eMachineShop
2007-06-14 15:17:56 -------- d-----w C:\Program Files\QuickTime
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-14 02:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B7C598E-0DB8-4B64-B521-2F4872D5CAA5}]
2007-01-17 08:59 36864 --a------ C:\netstar\bho\NetStarBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22CCB1F6-B73A-4015-84D0-D764D2BBF2E0}]
C:\WINDOWS\system32\pmkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D999AC-8262-4978-0980-7CE9208D7192}]
C:\Program Files\MSN\lafuve638.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC70159D-487A-4D6A-8274-DEA2BC506284}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB40D31A-B1F8-47EA-BC54-D27DDB475978}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-31 09:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-07 10:43]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddsntdll]
ddsntdll.d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqonoo]
ssqonoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tehlink0]
tehlink0.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
"C:\PROGRA~1\SSTEM3~1\nslookup.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinUpdate"=2 (0x2)


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 10:11:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 10:11:40
C:\ComboFix-quarantined-files.txt ... 2007-07-11 10:11
C:\ComboFix2.txt ... 2007-07-11 09:09

--- E O F ---


I did what you said with renaming HJT, here is the log file after that was run

Logfile of HijackThis v1.99.1
Scan saved at 10:16:01 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\EWA net\database\TransBase EPC\tbkern32.exe
C:\Program Files\EWA net\database\TransBase EWA\tbkern32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\abc.bat.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NetStar BHO - {0B7C598E-0DB8-4B64-B521-2F4872D5CAA5} - C:\netstar\bho\NetStarBHO.dll
O2 - BHO: (no name) - {22CCB1F6-B73A-4015-84D0-D764D2BBF2E0} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: 0 - {28D999AC-8262-4978-0980-7CE9208D7192} - C:\Program Files\MSN\lafuve638.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {EC70159D-487A-4D6A-8274-DEA2BC506284} - (no file)
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://205.232.177.18/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D11A36-D587-4D53-BB74-3333D6A4CA7D}: NameServer = 198.6.1.122,198.6.1.142
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\
O20 - Winlogon Notify: ssqonoo - ssqonoo.dll (file missing)
O20 - Winlogon Notify: tehlink0 - tehlink0.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Transbase - Transaction Software, D 81737 Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe

When I clicked on my link to internet explorer I got a message that said Internet explorer is not my default browser. I just clicked the X to get rid of it. Also my AVG find a trojan threat when I clicked on the start button of windows.

Thanks for the help.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 July 2007 - 10:27 AM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\jsjevepy.exe
C:\WINDOWS\system32\msdun.dll
C:\WINDOWS\system32\msdun.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-----------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {22CCB1F6-B73A-4015-84D0-D764D2BBF2E0} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: 0 - {28D999AC-8262-4978-0980-7CE9208D7192} - C:\Program Files\MSN\lafuve638.dll (file missing)
O2 - BHO: (no name) - {EC70159D-487A-4D6A-8274-DEA2BC506284} - (no file)
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\
O20 - Winlogon Notify: ssqonoo - ssqonoo.dll (file missing)
O20 - Winlogon Notify: tehlink0 - tehlink0.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

----------------------------------------

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\drivers\Kyck58.sys
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\drivers\Kyck58.sys
Then click on 'Send'.
Post the results into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 BMWCRAIG

BMWCRAIG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 11 July 2007 - 01:53 PM

OK, I ran Otmove, that worked fine, there was one file it could not find. I included its log file.

I ran HJKt and fixed the selected items as you said.
I ran the SuperAntiSpyware and included log.
Now when I went to Jotti and Virustotal I could not find the specified file you told me to remove. I searched via explorer and could not find the file.


Otmove it log

File/Folder C:\WINDOWS\system32\jsjevepy.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\msdun.dll
C:\WINDOWS\system32\msdun.dll NOT unregistered.
C:\WINDOWS\system32\msdun.dll moved successfully.
File/Folder C:\WINDOWS\system32\msdun.exe not found.
File/Folder not found.

Created on 07/11/2007 12:41:15

SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2007 at 01:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3267
Trace Rules Database Version: 1278

Scan type : Complete Scan
Total Scan Time : 00:22:43

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 4140
Registry threats detected : 0
File items scanned : 29552
File threats detected : 61

Adware.Tracking Cookie
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@adrevolver[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@advertising[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@pch.122.2o7[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@zedo[3].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@html[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@drivecleaner[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@stats1.reliablestats[3].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@cpvfeed[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@doubleclick[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@entrepreneur[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@link.vericlick[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@ads.expedia[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@atwola[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@adultfriendfinder[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@2o7[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@ad.yieldmanager[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@advertising[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@atdmt[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@findwhat[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@pro-market[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@stats1.reliablestats[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@winantivirus[2].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@www.entrepreneur[1].txt
C:\Documents and Settings\CRAIG BISHOP\Cookies\craig bishop@zedo[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.k8l[1].txt

Trojan.ErrorSafe
C:\QOOBOX\QUARANTINE\C\WINDOWS\DOWNLO~1\UERS_9999_N91S1502NETINSTALLER.EXE.VIR
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UERS_9999_N91S1502NETINSTALLER.EXE
C:\WINDOWS\Prefetch\UERS_9999_N91S1502NETINSTALLE-20A0712C.pf

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NETINSTALLER.EXE.VIR
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWA7P_0001_N91M0809NETINSTALLER.EXE

Trojan.Downloader-MSDCom32
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PLTLMOS.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RFGENY.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP80\A0005945.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP80\A0005946.DLL

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005301.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005346.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005416.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP77\A0005485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP80\A0005944.EXE

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005304.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005349.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005415.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP77\A0005491.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005305.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP77\A0005475.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP77\A0005490.DLL

Trojan.Downloader-WebBuying/PopEngine
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005316.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005385.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005317.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP75\A0005318.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005357.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005358.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005395.EXE

Trojan.Downloader-Gen/Blah
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP76\A0005359.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A7A36554-6228-47C7-AFFA-154B66C2CC37}\RP80\A0005926.DLL
C:\VUNDOFIX BACKUPS\EFCYXWT.DLL.BAD

Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 2:52:47 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbkern32.exe
C:\Program Files\EWA net\database\TransBase EWA\tbkern32.exe
C:\Program Files\EWA net\database\TransBase EWA\tbkern32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\abc.bat.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NetStar BHO - {0B7C598E-0DB8-4B64-B521-2F4872D5CAA5} - C:\netstar\bho\NetStarBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SuperAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://205.232.177.18/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D11A36-D587-4D53-BB74-3333D6A4CA7D}: NameServer = 198.6.1.122,198.6.1.142
O20 - Winlogon Notify: !SASWinLogon - C:\SuperAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Transbase - Transaction Software, D 81737 Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 July 2007 - 02:11 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix.exe
OTMoveIt

C:\VundoFix Backups
C:\_OTMoveIt
C:\QOOBOX

----------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

----------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

----------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users