Solved: Trojan Horse Downloader

Nightwalker · 20-Apr-2008, 04:12 PM #1

Im trying to fix my moms computer, she accidentally downloaded a trojan horse downloader. I can remove it with avg free but it comes back with every new scan. Any ideas or links to free downloadable anti-virus programs?

lunarlander · 01:28 PM

I would post a HijackThis log for a log specialist to take a look. HijackThis is available here:

http://www.trendsecure.com/portal/en...ols/hijackthis

Edit: Fixed the link you posted> http://www.trendsecure.com/portal/en-US/

Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.

Nightwalker · 24-Apr-2008, 11:24 AM #3

You link is giving me Internet Explorer cannot display the webpage. Like Im offline, or the site is having problems. Could you check the link to be sure?

**Byteman** · 01:41 PM

Try this

go to Click here to download HJTsetup.exe

On that page, click the at lower right , and follow the prompts to get the installer version
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Paste the log in your next reply.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

_ _ _ _
Please also do this:

Open Hijack This and click on the "Open the Misc Tools section" button.
Click on the "Open Uninstall Manager" button.
Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
Copy and paste that list here in your reply

Nightwalker · 24-Apr-2008, 01:59 PM #5

Heres the log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:37 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {57F9E23F-A439-4679-AB81-BA292405EE25} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7FFBF68E-8474-4BE1-B2C7-92B37A2D51E7} - C:\WINDOWS\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B3740027-0036-49BF-98E7-04F4F903D67B} - C:\WINDOWS\system32\vtuvutu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92D4DF4-4BE4-4F89-8758-0EF44638976C}: NameServer = 209.128.1.4 142.163.255.4
O20 - Winlogon Notify: vtuvutu - vtuvutu.dll (file missing)
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\system32\bubbj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9363 bytes

Nightwalker · 24-Apr-2008, 02:02 PM #6

Uninstall List...
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
AVG 7.5
AVG Anti-Spyware 7.5
ContextEnhancer
DVD Shrink 3.2
DVD Suite
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java(TM) 6 Update 3
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 6.0 Parser (KB933579)
Nero 7 Essentials
Net Assistant
NOD32 antivirus system
PowerDVD
PowerProducer
Prism Video Converter
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Smart Menus (Windows Live Toolbar)
UBNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Safety Alert
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WordPerfect Productivity Pack

**Byteman** · 10:41 PM

Hi, Make sure you change the settings as below, so you can see hidden, system and all files:

Quote:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

I'd like you to open Windows Explorer, and browse to this location> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe and right click hijackthis.exe and select rename.....name the file something else, like bulldog.exe...anything.exe....it will run the same and produce the same log, but it might show us more of the infection, if any is left.

The Java plugin you are using is outdated....see below to update it to the latest version. You have a trojan (Vundo) that exploits older versions of the Java software....need to patch it or you will get reinfected quickly.

However, it's probably hard to use the Net for you right now, so let's try clearing up some of the trojan, then get the new java installed etc OK? Get this program installed and updated and scan with it exactly as the directions show you:

Download SUPERAntiSpyware Free for Home Users
alternate site
Double-click SUPERAntiSpyware.exe to install and use the default settings for installation.
Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.

Run SUPERAntiSpyware and update the definitions before scanning by selecting "Check for Udates".

When done, select "Scan for Harmful Software".

There are three scanning options available. Choose "Perform Complete Scan" and click "Next".

When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".

Place a checkmark next to items you wish to remove/quarantine and Click "Next".

A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

If asked to Reboot, please do.

After Reboot, double-click on SuperAnti-Spyware icon on your Desktop.

Click Preferences, Click the Statistics/Logs Tab.

Under Scanner logs, Double-click SuperAnti-Spyware Scan Log.

It will open in your default text editor (such as Notepad or WordPad).

Please Highlight everything in the Notepad, then right-click and choose copy.

In your next reply, please post those results and include a fresh Hijackthis log using the renamed hijackthis.exe file, please..

Select close to exit the program.

Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.

There is a Printable Version button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions.
Alternate way to save directions:Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
*It's the Fifth download button on the right
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
After the file is downloaded , to install Java:
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
( The one to UNinstall is Java(TM) 6 Update 3)
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the new downloaded version.

Submit the two logs and I will check them.

The new hijack log should be made after you run SUPERantispyware and have installed the new Java

Nightwalker · 28-Apr-2008, 12:33 PM #8

I used this superantispyware program, and my moms computer works best kind now. Thanks for the help. Kudos to Byteman!

**Byteman** · 30-Apr-2008, 02:37 AM #9

Hi,

Did you complete the fixing I posted in my last reply?

I don't see any logs- they need to be reviewed, there is probably some other things we have to do for the malware, and there are definitely some final things we need to do as routine when malware is removed....could you post the logs asked for in my last reply?

I'd hate for you to get half-fixed and have to start all over again!

Nightwalker · 30-Apr-2008, 12:12 PM **#10**

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 05:13 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 01:09:05

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 5720
Registry threats detected : 50
File items scanned : 79730
File threats detected : 77

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{57F9E23F-A439-4679-AB81-BA292405EE25}
HKCR\CLSID\{57F9E23F-A439-4679-AB81-BA292405EE25}
HKCR\CLSID\{57F9E23F-A439-4679-AB81-BA292405EE25}\InprocServer32
HKCR\CLSID\{57F9E23F-A439-4679-AB81-BA292405EE25}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBYW.DLL
HKLM\Software\Classes\CLSID\{B3740027-0036-49BF-98E7-04F4F903D67B}
HKCR\CLSID\{B3740027-0036-49BF-98E7-04F4F903D67B}
HKCR\CLSID\{B3740027-0036-49BF-98E7-04F4F903D67B}\InprocServer32
HKCR\CLSID\{B3740027-0036-49BF-98E7-04F4F903D67B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUVUTU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9E23F-A439-4679-AB81-BA292405EE25}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FFBF68E-8474-4BE1-B2C7-92B37A2D51E7}
HKCR\CLSID\{7FFBF68E-8474-4BE1-B2C7-92B37A2D51E7}
HKCR\CLSID\{7FFBF68E-8474-4BE1-B2C7-92B37A2D51E7}\InprocServer32
HKCR\CLSID\{7FFBF68E-8474-4BE1-B2C7-92B37A2D51E7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQN.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B3740027-0036-49BF-98E7-04F4F903D67B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ B3740027-0036-49BF-98E7-04F4F903D67B}
HKCR\CLSID\{B3740027-0036-49BF-98E7-04F4F903D67B}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0B013E77-D889-406D-BC44-57183391B15C}\RP251\A0027667.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899}
HKCR\CLSID\{8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899}
HKCR\CLSID\{8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899}\InprocServer32
HKCR\CLSID\{8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BC8DCA6-6833-4C56-9BA8-6D7E7DB0B899}

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
C:\PROGRAM FILES\BARUNGO\BARUNGO BAR\TBHELPER.DLL

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{db763ed8-100a-481b-8913-50a2f41dcdc3}
HKCR\CLSID\{DB763ED8-100A-481B-8913-50A2F41DCDC3}
HKCR\CLSID\{DB763ED8-100A-481B-8913-50A2F41DCDC3}\InProcServer32
HKCR\CLSID\{DB763ED8-100A-481B-8913-50A2F41DCDC3}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BUBBJ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler #{db763ed8-100a-481b-8913-50a2f41dcdc3}

Trojan.Smitfraud Variant/IE Anti-Spyware
HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}

Adware.Tracking Cookie
C:\Documents and Settings\WinXP\Cookies\winxp@www8.addfreestats[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@www7.addfreestats[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ads.monster[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@server.cpmstar[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@2o7[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@socialmedia[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@casalemedia[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@msnportal.112.2o7[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@media6degrees[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@insightexpressai[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@bs.serving-sys[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@e-2dj6wjk4smdzako.stats.esomniture[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@media.adrevolver[3].txt
C:\Documents and Settings\WinXP\Cookies\winxp@videoegg.adbureau[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ads.pointroll[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@admin.valueclickmedia[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@advertising[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ads.cnn[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@atdmt[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@aircanada-push.worldmedia[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@www.burstnet[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@zedo[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@gostats[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ads.addynamix[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@burstnet[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@apmebf[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@soundclick[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@statse.webtrendslive[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@rocku.adbureau[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@adrevolver[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@adbrite[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@revsci[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@imrworldwide[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@adcentriconline[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@adopt.euroclick[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ad.yieldmanager[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@statcounter[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@www3.addfreestats[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@bluestreak[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@fastclick[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@data.coremetrics[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@serving-sys[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@specificclick[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@focalex[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@mediaplex[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@questionmarket[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@ads.techguy[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@e-2dj6wflywjdjseo.stats.esomniture[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@media.adrevolver[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@doubleclick[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@cgm.adbureau[1].txt
C:\Documents and Settings\WinXP\Cookies\winxp@tribalfusion[2].txt
C:\Documents and Settings\WinXP\Cookies\winxp@prospect.adbureau[2].txt

Trojan.Media-Codec
C:\Documents and Settings\WinXP\Favorites\Online Security Test.url

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString

Trojan.Media-Codec/V4
HKCR\multimediaControls.chl
HKCR\multimediaControls.chl\CLSID

Rogue.AntiSpywareShield
C:\Program Files\AntiSpywareShield\AntiSpywareShield.lic
C:\Program Files\AntiSpywareShield\AntiSpywareShield1.ad
C:\Program Files\AntiSpywareShield
C:\Documents and Settings\WinXP\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield.lnk
C:\Documents and Settings\WinXP\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk
C:\Documents and Settings\WinXP\Start Menu\Programs\AntiSpywareShield
C:\Documents and Settings\WinXP\Desktop\AntiSpywareShield.lnk

Malware.LocusSoftware Inc/PCPrivacyTool
HKLM\Software\Purchased Products
HKLM\Software\Purchased Products\System Error Repair
HKLM\Software\Purchased Products\System Error Repair#domain
HKLM\Software\Purchased Products\System Error Repair#pname
HKLM\Software\Purchased Products\System Error Repair#cname

Malware.LocusSoftware Inc/SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0B013E77-D889-406D-BC44-57183391B15C}\RP251\A0027668.DLL

Rogue.VirusHeat
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0B013E77-D889-406D-BC44-57183391B15C}\RP264\A0030111.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0B013E77-D889-406D-BC44-57183391B15C}\RP266\A0031200.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0B013E77-D889-406D-BC44-57183391B15C}\RP266\A0031207.ICO

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\NQSTV.INI
C:\WINDOWS\SYSTEM32\UTVWA.INI
C:\WINDOWS\SYSTEM32\UTVWA.INI2
C:\WINDOWS\SYSTEM32\WYBEG.INI

Nightwalker · 30-Apr-2008, 12:13 PM **#11**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:28 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92D4DF4-4BE4-4F89-8758-0EF44638976C}: NameServer = 209.128.1.4 142.163.255.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuvutu - vtuvutu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8724 bytes

Nightwalker · 30-Apr-2008, 12:14 PM **#12**

Thats all that you need, right?

Can you talk me through the update for java? There is two different java downloads.

**Byteman** · 01:36 PM

Hi,

The newer Java Update is what you need to prevent the Trojan Vundo from getting in....Vundo exploits older Java software.

Java> The download you need is the 5th blue looking "download" button link on the right hand side in the list
when you load the page from my link where the directions are in my older reply

The name that corresponds to that download is this:

Java Runtime Environment (JRE) 6 Update 6 Clicking the download button, takes you to a new page....there, you need to select "Windows" in the drop down box, and then put a check into the box to Accept the License etc....then, when you click to download, another page opens and you see 2 downloads....

Download the Offline installer version 15 Megabytes or so.....
_ _ _ _ _ _

Next: Noticed that you did not re-name Hijackthis.exe file as was posted in a reply from me....probably no need to now

Run Hijackthis again.....find the items I have below that are present in your Scan, and put a check next to it. You MUST CLOSE all programs, and other Internet windows, even THIS window....before you click "Fix checked" to remove that item....

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

O20 - Winlogon Notify: vtuvutu - vtuvutu.dll (file missing)

When you have fixed those items, I would really like to see a brand new Hijackthis log.

***Note> AVG Free Edition version 7.5 is expired and has been replaced with version 8

*I see you are using Windows Defender, plus NOD32

I think AVG version 8 free edition still should be able to work with that setup. Here is a link to it:

http://free.grisoft.com/ww.download-...s-free-edition

From that page above, you will see "Continue to AVG Free Editon download".....at the bottom of the comparison chart.....click that link to get to the download for the Free Edition. It's 45 Megabytes but well worth it in my opinion.

Next: Please do NOT skip this! I would like to see the results of at least one online antimalware scan....no programs find or can remove all malware, and the amount you had, suggest that you need to do one of these scans.

HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Or this one: Kaspersky online full scan

Please go HERE and click Free Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!