There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password php popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
System Integrity Scan Wizard problems


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
picomang's Avatar
Computer Specs
Junior Member with 4 posts.
  
Join Date: May 2008
Experience: Intermediate
04-May-2008, 07:20 PM #1
System Integrity Scan Wizard problems
Hi, I'm hoping to find some assistance of ridding my PC of this malware which tells me I have spyware/adware and opens pop-ups to register for anti-virus software etc.

I've read other threads on this topic and removal but I can't even run and save a HijackThis logfile because i get a program error:
"HijackThis.exe has generated errors and will be closed by Windows. You will need to restar the program.
An error log is being created"

Any and all assistance is greatly appreciated.
Thanks
Phil
cybertech's Avatar
Computer Specs
Moderator with 56,519 posts.
  
Join Date: Apr 2002
Location: Washington State
05-May-2008, 02:36 PM #2
Hi, Welcome to TSG!!


Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
picomang's Avatar
Computer Specs
Junior Member with 4 posts.
  
Join Date: May 2008
Experience: Intermediate
05-May-2008, 08:13 PM #3
I saved the executable to my desktop.
I hit 'Scan and Save logfile' but before it opens in notepad I get the following message everytime:

Program error:
"HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program.
An error log is being created"

What do I do?
picomang's Avatar
Computer Specs
Junior Member with 4 posts.
  
Join Date: May 2008
Experience: Intermediate
05-May-2008, 08:15 PM #4
Wait, it finally saved something to my desktop:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:09 PM, on 5/5/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\fghcbwbs.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\YAHOO!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [155315ac] rundll32.exe "C:\WINNT\system32\yixdexrh.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [uhooablc] C:\WINNT\system32\fghcbwbs.exe
O4 - HKCU\..\Run: [e©ùýùÇûïÎóÎØøøËøôÍÊýøñûëÞó] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm069YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5l.incredimail.com/content...u/imloader.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Unknown owner - C:\WINNT\System32\mgabg.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6206 bytes
cybertech's Avatar
Computer Specs
Moderator with 56,519 posts.
  
Join Date: Apr 2002
Location: Washington State
06-May-2008, 01:52 PM #5
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [155315ac] rundll32.exe "C:\WINNT\system32\yixdexrh.dll",b
O4 - HKCU\..\Run: [uhooablc] C:\WINNT\system32\fghcbwbs.exe
O4 - HKCU\..\Run: [e©ùýùÇûïÎóÎØøøËøôÍÊýøñûëÞó] C:\Program Files\XP Antivirus\xpa.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Close all applications and browser windows before you click "fix checked".



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\Program Files\XP Antivirus
C:\WINNT\system32\fghcbwbs.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy the entire report and paste it in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
picomang's Avatar
Computer Specs
Junior Member with 4 posts.
  
Join Date: May 2008
Experience: Intermediate
06-May-2008, 09:43 PM #6
I couldn't delete these 2 files:
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

I kept getting Program error:
"HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created"

Heres the OTMoveIt log:

File/Folder C:\Program Files\XP Antivirus not found.
C:\WINNT\system32\fghcbwbs.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_211958

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.12
Database version: 726

Scan type: Quick Scan
Objects scanned: 31564
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 45
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 113

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\yixdexrh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\wslpdjyo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\wjewtorf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\ddcYpqrP.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\mlJCVlLC.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{db9bdf33-34c1-4a00-b3c0-d4c9e1935a60} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{db9bdf33-34c1-4a00-b3c0-d4c9e1935a60} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse r Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse r Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7c054d23-ff37-467e-8f0f-a82d43c203d2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a00281d9-67be-4881-bb34-2fb7196d4db5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{15fabe1b-ee9a-4652-aaa3-fdcf6635ff79} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d422996-4f55-407c-828e-059d2c312f5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6d1e583a-d2aa-4aca-ace8-451f73c609f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{efa665c4-6d72-4b8b-8286-045e879fcae8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{efa665c4-6d72-4b8b-8286-045e879fcae8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljcvllc (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslag ent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\spinstall (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shared TaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\ddcypqrp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\ddcypqrp -> Delete on reboot.

Folders Infected:
C:\WINNT\mslagent (Adware.EGDAccess) -> Delete on reboot.
C:\WINNT\system32smp (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktopvirii (Fake.Dropped.Malware) -> Delete on reboot.

Files Infected:
C:\WINNT\system32\yixdexrh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\hrxedxiy.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\wslpdjyo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\oyjdplsw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\wjewtorf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\frotwejw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\ddcYpqrP.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\PrqpYcdd.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\PrqpYcdd.ini2 (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\mlJCVlLC.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4HM3OLIV\kriv[1] (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Delete on reboot.
C:\WINNT\mslagent\mslagent.exe (Adware.EGDAccess) -> Delete on reboot.
C:\WINNT\mslagent\uninstall.exe (Adware.EGDAccess) -> Delete on reboot.
C:\WINNT\system32smp\msrc.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\bfgtoolbartb0500.cfg (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\logo.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\search.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\mygames.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\newgames.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\topten.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\webgames.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\1.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\20off.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\2.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\3.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\4.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\5.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\6.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\7.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\8.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\9.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\10.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\new.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\atlantis.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\puzzle.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\action.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\word.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\mahjong.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\card.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\bfg_greetings.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\mygamestoolbar.bmp (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\bfgtoolbarDLL.zip (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\COMBOSEARCH.acs (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\bfgtoolbar\ErrorLog.txt (Adware.OneToolBar) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\a.bat (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\base64.tmp (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\FVProtect.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32akttzn.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32anticipator.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32awtoolb.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32bdn.com (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32bsva-egihsg52.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32dpcproxy.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32emesx.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32h@tkeysh@@k.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32hoproxy.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32hxiwlgpm.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32medup012.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32medup020.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32msgp.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32msnbho.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32mssecu.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32msvchost.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32mtr2.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32mwin32.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32netode.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32newsd32.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32ps1.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32psof1.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32psoft1.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32regc64.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32regm64.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32Rundl1.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32sncntr.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32ssurf022.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32ssvchost.com (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32ssvchost.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32sysreq.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32taack.dat (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32taack.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32temp#01.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32thun.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32thun32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32vbsys2.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32vcatchpi.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32winlogonpc.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32winsystem.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\System32WINWGPX.EXE (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\userconfig9x.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\winsystem.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\zip1.tmp (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\zip2.tmp (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\zip3.tmp (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\zipped.tmp (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\bdn.com (Trojan.Agent) -> Delete on reboot.
C:\WINNT\mssecu.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktopfwebd.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Delete on reboot.


Thanks so much.
Phil
cybertech's Avatar
Computer Specs
Moderator with 56,519 posts.
  
Join Date: Apr 2002
Location: Washington State
07-May-2008, 01:40 PM #7
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Select Files to Delete choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.


Please perform a scan with Kaspersky Webscan Online Virus Scanner
  • Read the Requirements and Privacy statement, then select "Accept".
  • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
  • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
  • When the download is complete it will say ready, click "Next".
  • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
  • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
  • Click "OK".
  • Under "Select a target to scan", click on "My Computer".
  • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 06:13 PM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.