There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
acer blue screen boot computer connection cpu crash css dell display driver drivers email error ethernet excel firefox firefox 3 game hard drive hardware internet internet explorer itunes laptop lcd malware monitor network networking outlook outlook 2003 outlook express password printer problem problems router security slow software sound trojan usb video virus vista windows windows xp wireless
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Removing Vundo trojan Virus


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Closed Thread
 
Thread Tools
reaver77's Avatar
Junior Member with 3 posts.
  
Join Date: Jul 2008
07-Jul-2008, 04:15 AM #1
Removing Vundo trojan Virus
Hey guys. Got myself, or the wife has herself I should say, the Vundo-4710 virus. I know the files and stuff but ant seem to get any Spyware or virus scanner to remove it.. Even tried the delete on next reboot progs with no luck. "Access Denied". And of course the symntec tools dont work either. At any rate here is my HJT log that I know you will ask for.

Thanks for the help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:26 AM, on 07/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://download-games.pogo.com/onlin...g.1.0.0.33.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.airbrushcity.com/144ac_md.jpg
--
End of file - 9976 bytes


Thanks again.. and if anyone could throw in how to remove Norton Internet Security up here at the end that;d be great.. hehe stoopid HP's.. no unistall! ohh well..

Anyways Thanx
OldTimer's Avatar
Senior Member with 216 posts.
  
Join Date: Mar 2008
Experience: Einstein
09-Jul-2008, 03:51 PM #2
Hello reaver77 and welcome to TSG. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
reaver77's Avatar
Junior Member with 3 posts.
  
Join Date: Jul 2008
09-Jul-2008, 05:01 PM #3
Latest
Thanks OT. I have done those 2 things and attached the OTScan Log as well as a new HJT log and a Uninstall log (dont know if you want new ones.)

I find just to keep the browser up and stuff I am running adaware and spyware terminator regularly (like at least once usually more times a day)

I dont know if it's relavant or not but I have tried turning off system restore and not been allowed, as well as the fact that microsoft updates is disabled and not allowed to be turned back on.

anyways see what ya think..

thanks again
Reaver
Attached Files
File Type: txt OTScanIt.Txt (266.5 KB, 11 views)
File Type: log hijackthis.log (10.8 KB, 7 views)
File Type: txt uninstall_list.txt (2.8 KB, 10 views)
OldTimer's Avatar
Senior Member with 216 posts.
  
Join Date: Mar 2008
Experience: Einstein
09-Jul-2008, 10:51 PM #4
Hi reaver77. I don't need anything other than what I ask for. Things like HijackThis are not goign to show us anything useful at this point so it is not necessary to include any reports from it.

Now, let's see what we can do with this. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to delete:
%systemroot%\bm0bd1f6cf.xml
%systemroot%\pskt.ini
%systemroot%\system32\e144f97baa.sys
%systemroot%\system32\elmdsqfw.dll
%systemroot%\system32\feqxvwti.ini
%systemroot%\system32\gcnvfbbk.dll
%systemroot%\system32\gqjvjj.dll
%systemroot%\system32\knnlkiyr.dll
%systemroot%\system32\mtgprq.dll
%systemroot%\system32\oaxpcagg.ini
%systemroot%\system32\qcjdnnqf.dll
%systemroot%\system32\rufgyk.dll
%systemroot%\system32\rwgkknmj.ini
%systemroot%\system32\weksswhs.dll
%systemroot%\system32\weoracdd.ini
%systemroot%\system32\weoracdd.ini2
%systemroot%\system32\yoxzin.dll
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%systemroot%\system32\crp
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {68950839-2675-49E2-B6A5-442E0B0D1BA4} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\fccdBUlj.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> fccdBUlj -> 
YN -> RelevantKnowledge -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\\LowRiskFileTypes -> .adh
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {51f15150-a4ac-4e44-bb73-96554a47a35c} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\rufgyk.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {68950839-2675-49E2-B6A5-442E0B0D1BA4} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\fccdBUlj.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {9D0A6CC9-9FF3-47E9-90AB-B3DE5E5ACACF} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcArOEW.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe -> %ProgramFiles%\MSN Messenger\msncall.exe [C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EarthLink TotalAccess\TaskPanl.exe -> %ProgramFiles%\EarthLink TotalAccess\TaskPanl.exe [C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe -> %ProgramFiles%\MSN Messenger\msncall.exe [C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe -> %ProgramFiles%\IVT Corporation\BlueSoleil\BlueSoleil.exe [C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DISC\myFTP.exe -> %ProgramFiles%\DISC\myFTP.exe [C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe -> %CommonProgramFiles%\AOL\Loader\aolload.exe [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1203372409\ee\aolsoftware.exe -> %CommonProgramFiles%\AOL\1203372409\ee\aolsoftware.exe [C:\Program Files\Common Files\AOL\1203372409\ee\aolsoftware.exe:*:Enabled:AOL Services]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1203372409\ee\aim6.exe -> %CommonProgramFiles%\AOL\1203372409\ee\aim6.exe [C:\Program Files\Common Files\AOL\1203372409\ee\aim6.exe:*:Enabled:AIM]
[Files/Folders - Created Within 30 days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> E144F97BAA.sys -> %SystemRoot%\System32\E144F97BAA.sys
NY -> elmdsqfw.dll -> %SystemRoot%\System32\elmdsqfw.dll
NY -> feqxvwti.ini -> %SystemRoot%\System32\feqxvwti.ini
NY -> gcnvfbbk.dll -> %SystemRoot%\System32\gcnvfbbk.dll
NY -> gqjvjj.dll -> %SystemRoot%\System32\gqjvjj.dll
NY -> knnlkiyr.dll -> %SystemRoot%\System32\knnlkiyr.dll
NY -> mtgprq.dll -> %SystemRoot%\System32\mtgprq.dll
NY -> oaxpcagg.ini -> %SystemRoot%\System32\oaxpcagg.ini
NY -> qcjdnnqf.dll -> %SystemRoot%\System32\qcjdnnqf.dll
NY -> rufgyk.dll -> %SystemRoot%\System32\rufgyk.dll
NY -> rwgkknmj.ini -> %SystemRoot%\System32\rwgkknmj.ini
NY -> weksswhs.dll -> %SystemRoot%\System32\weksswhs.dll
NY -> WEOrAcdd.ini -> %SystemRoot%\System32\WEOrAcdd.ini
NY -> WEOrAcdd.ini2 -> %SystemRoot%\System32\WEOrAcdd.ini2
NY -> yoxzin.dll -> %SystemRoot%\System32\yoxzin.dll
NY -> BM0bd1f6cf.xml -> %SystemRoot%\BM0bd1f6cf.xml
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[Files/Folders - Modified Within 30 days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> crp -> %SystemRoot%\System32\crp
NY -> E144F97BAA.sys -> %SystemRoot%\System32\E144F97BAA.sys
NY -> elmdsqfw.dll -> %SystemRoot%\System32\elmdsqfw.dll
NY -> feqxvwti.ini -> %SystemRoot%\System32\feqxvwti.ini
NY -> gcnvfbbk.dll -> %SystemRoot%\System32\gcnvfbbk.dll
NY -> gqjvjj.dll -> %SystemRoot%\System32\gqjvjj.dll
NY -> knnlkiyr.dll -> %SystemRoot%\System32\knnlkiyr.dll
NY -> mtgprq.dll -> %SystemRoot%\System32\mtgprq.dll
NY -> oaxpcagg.ini -> %SystemRoot%\System32\oaxpcagg.ini
NY -> qcjdnnqf.dll -> %SystemRoot%\System32\qcjdnnqf.dll
NY -> rufgyk.dll -> %SystemRoot%\System32\rufgyk.dll
NY -> rwgkknmj.ini -> %SystemRoot%\System32\rwgkknmj.ini
NY -> weksswhs.dll -> %SystemRoot%\System32\weksswhs.dll
NY -> WEOrAcdd.ini -> %SystemRoot%\System32\WEOrAcdd.ini
NY -> WEOrAcdd.ini2 -> %SystemRoot%\System32\WEOrAcdd.ini2
NY -> yoxzin.dll -> %SystemRoot%\System32\yoxzin.dll
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BM0bd1f6cf.xml -> %SystemRoot%\BM0bd1f6cf.xml
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:260575F1
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\Application Data\TEMP:2615E8F1
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\Application Data\TEMP:5ADF4B3F
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\Application Data\TEMP:8C71D1E4
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:92174436
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\Application Data\TEMP:9AD927A6
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:A00BCDEF
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:A60E1551
NY -> @Alternate Data Stream - 133 bytes -> %AllUsersProfile%\Application Data\TEMP:BDFCD45E
NY -> @Alternate Data Stream - 164 bytes -> %AllUsersProfile%\Application Data\TEMP:DC6D129B
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\Application Data\TEMP:E8FAD03D
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\Application Data\TEMP:F7EBC06E
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:
      • Scan Archives
        Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.

Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)

Attach the following back here in your next reply:
  • The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
reaver77's Avatar
Junior Member with 3 posts.
  
Join Date: Jul 2008
10-Jul-2008, 05:21 AM #5
Logs from the last batch of Fixes
Ot,
Here are the logs from your last batch of instructions.

Avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\bm0bd1f6cf.xml" deleted successfully.
File "C:\WINDOWS\pskt.ini" deleted successfully.
File "C:\WINDOWS\system32\e144f97baa.sys" deleted successfully.
File "C:\WINDOWS\system32\elmdsqfw.dll" deleted successfully.
File "C:\WINDOWS\system32\feqxvwti.ini" deleted successfully.
File "C:\WINDOWS\system32\gcnvfbbk.dll" deleted successfully.
File "C:\WINDOWS\system32\gqjvjj.dll" deleted successfully.
File "C:\WINDOWS\system32\knnlkiyr.dll" deleted successfully.
File "C:\WINDOWS\system32\mtgprq.dll" deleted successfully.
File "C:\WINDOWS\system32\oaxpcagg.ini" deleted successfully.
File "C:\WINDOWS\system32\qcjdnnqf.dll" deleted successfully.
File "C:\WINDOWS\system32\rufgyk.dll" deleted successfully.
File "C:\WINDOWS\system32\rwgkknmj.ini" deleted successfully.
File "C:\WINDOWS\system32\weksswhs.dll" deleted successfully.
File "C:\WINDOWS\system32\weoracdd.ini" deleted successfully.
File "C:\WINDOWS\system32\weoracdd.ini2" deleted successfully.
File "C:\WINDOWS\system32\yoxzin.dll" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\WINDOWS\system32\crp" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.


OTscan Log

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\\{68950839-2675-49E2-B6A5-442E0B0D1BA4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68950839-2675-49E2-B6A5-442E0B0D1BA4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccdBUlj\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RelevantKnowledge\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associ ations\\LowRiskFileTypes deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{51f15150-a4ac-4e44-bb73-96554a47a35c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51f15150-a4ac-4e44-bb73-96554a47a35c}\ deleted successfully.
File C:\WINDOWS\system32\rufgyk.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{68950839-2675-49E2-B6A5-442E0B0D1BA4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68950839-2675-49E2-B6A5-442E0B0D1BA4}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{9D0A6CC9-9FF3-47E9-90AB-B3DE5E5ACACF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D0A6CC9-9FF3-47E9-90AB-B3DE5E5ACACF}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EarthLink TotalAccess\TaskPanl.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DISC\myFTP.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1203372409\ee\aolsoftware.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1203372409\ee\aim6.exe deleted successfully.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\E144F97BAA.sys not found!
File C:\WINDOWS\System32\elmdsqfw.dll not found!
File C:\WINDOWS\System32\feqxvwti.ini not found!
File C:\WINDOWS\System32\gcnvfbbk.dll not found!
File C:\WINDOWS\System32\gqjvjj.dll not found!
File C:\WINDOWS\System32\knnlkiyr.dll not found!
File C:\WINDOWS\System32\mtgprq.dll not found!
File C:\WINDOWS\System32\oaxpcagg.ini not found!
File C:\WINDOWS\System32\qcjdnnqf.dll not found!
File C:\WINDOWS\System32\rufgyk.dll not found!
File C:\WINDOWS\System32\rwgkknmj.ini not found!
File C:\WINDOWS\System32\weksswhs.dll not found!
File C:\WINDOWS\System32\WEOrAcdd.ini not found!
File C:\WINDOWS\System32\WEOrAcdd.ini2 not found!
File C:\WINDOWS\System32\yoxzin.dll not found!
File C:\WINDOWS\BM0bd1f6cf.xml not found!
C:\WINDOWS\msdownld.tmp folder deleted successfully.
File C:\WINDOWS\pskt.ini not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\crp not found!
File C:\WINDOWS\System32\E144F97BAA.sys not found!
File C:\WINDOWS\System32\elmdsqfw.dll not found!
File C:\WINDOWS\System32\feqxvwti.ini not found!
File C:\WINDOWS\System32\gcnvfbbk.dll not found!
File C:\WINDOWS\System32\gqjvjj.dll not found!
File C:\WINDOWS\System32\knnlkiyr.dll not found!
File C:\WINDOWS\System32\mtgprq.dll not found!
File C:\WINDOWS\System32\oaxpcagg.ini not found!
File C:\WINDOWS\System32\qcjdnnqf.dll not found!
File C:\WINDOWS\System32\rufgyk.dll not found!
File C:\WINDOWS\System32\rwgkknmj.ini not found!
File C:\WINDOWS\System32\weksswhs.dll not found!
File C:\WINDOWS\System32\WEOrAcdd.ini not found!
File C:\WINDOWS\System32\WEOrAcdd.ini2 not found!
File C:\WINDOWS\System32\yoxzin.dll not found!
File C:\WINDOWS\BM0bd1f6cf.xml not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:260575F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2615E8F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5ADF4B3F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8C71D1E4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:92174436 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9AD927A6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A00BCDEF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A60E1551 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BDFCD45E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPC6D129B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E8FAD03D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F7EBC06E deleted successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\~ROMFN_000002E8 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.1 fix logfile created on 07102008_001757
Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
File C:\WINDOWS\temp\~ROMFN_000002E8 not found!


F-Secure Online scanner log

Scanning Report
Thursday, July 10, 2008 00:26:01 - 02:04:32
Computer name: JUSTINTARA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 5 malware found
AdWare.Win32.TrafficSol (spyware)
* System
P2P-Worm.Win32.VB.dw (virus)
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\73732B17.EXE (Submitted)
Tracking Cookie (spyware)
* System
W32/Downloader (virus)
* C:\PROGRAM FILES\SOUNDFLAVOR DJ\SOUNDFLAVORDJUPGRADE.EXE (Submitted)
W32/Malware (virus)
* C:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE (Submitted)
Statistics
Scanned:
* Files: 75148
* System: 6908
* Not scanned: 10
Actions:
* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 5
* Submitted: 3
Files not scanned:
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\~ROMFN_00000984
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
* C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_149079548_15859712_27190
Options
Scanning engines:
* F-Secure USS: 2.30.0
* F-Secure Blacklight: 1.0.68
* F-Secure Hydra: 2.8.8110, 2008-07-10
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-07-10
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

And the OTScan log is attached as well.

The only problems I had, and they weren't really problems, were that the Avenger didnt seem to do 2 reboots (unless the first reload wasnt a full reload) and the speed of the net and comp seemed a bit slow, but these are rather resource instense operations or so it seems.

As far as concerns outside of the instructions I was following, Windows Automatic Updates still seems to NOT be able to be turned on. I am not sure as to wether this is a virus/malware problem or a hp/microsoft problem. I havent as yet tried to do the "clear the restore points" procedure again, I have tried it previously and I wasnt able to disable the system restore.

Btw I am operating windows XP, in case it doesnt say so in the logs. lol Just looked at the avenger and it does say on the 3 line.. hehe..

Thanks so far.
Reaver
Attached Files
File Type: txt OTScanIt.Txt (258.7 KB, 6 views)
OldTimer's Avatar
Senior Member with 216 posts.
  
Join Date: Mar 2008
Experience: Einstein
10-Jul-2008, 09:33 AM #6
Hi reaver77. As far as malware goes, everything looks fine. There are no signs of anything remaining.

Here's a couple things you can try as far as performance and remaining security issues:

1 - Uninstall Spyware Terminator. The Crawler toolbar portion of that program has been reported to have some serious performance implications. If you want ot use Spyware Terminator go ahead and reinstall it without installing the Crawler Toolbar portion (there should be an option to install or not install it during the installation).

2 - Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
Note: If there is an Update XX in the name then the "XX" in the version will be whatever the latest version is.
  • Download the latest version of Java Runtime Environment (JRE) 6.0 Update XX (if present).
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_6_0_XX-windowsi586-p.exe to install the newest version.

Other than that. everything looks good. Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
Closed Thread

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who help people like you solve computer problems. See our Welcome Guide to get started.



Thread Tools


Related Sites: 56k Dial-Up | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 07:03 PM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.