1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

do I have vurdo virus?

Discussion in 'Virus & Other Malware Removal' started by synack23, Jan 24, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. synack23

    synack23 Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    4
    My system has AVG which ha found and quarantine the trojan.lop.as file about 50 times I get a lot of annoying pop-ups that I can't remove. Here's my hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:32:03 AM, on 1/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\{C40F15AB-069D-1033-0130-020102280001}\Update.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Ship_nt\Bin\poc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Ship_nt\BIN\applogic.exe
    C:\Ship_nt\BIN\absdatasvc.exe
    C:\Ship_nt\Bin\ADMINSVC.EXE
    C:\Ship_nt\ASA\win32\DBsrv9.EXE
    C:\Ship_nt\BIN\rate.exe
    C:\Ship_nt\BIN\comm.exe
    C:\Ship_nt\BIN\reportlogic.exe
    C:\Ship_nt\BIN\LabelFormat.exe
    C:\Ship_nt\BIN\revservice.exe
    C:\INTEGR~1\FSI.exe
    C:\Integration\System\FSN.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fedex.com/us/automation/fsm/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [{C40F15AB-069D-1033-0130-020102280001}] "C:\Program Files\Common Files\{C40F15AB-069D-1033-0130-020102280001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [{C40F15AB-069E-1033-0130-020102280001}] "C:\Program Files\Common Files\{C40F15AB-069E-1033-0130-020102280001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\knbwcuhu.dll",setvm
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
    O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
    O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)


    Any help would be great,

    Mike
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  3. synack23

    synack23 Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    4
    "CafeUser" - 07-01-25 9:08:52 Service Pack 2
    ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))


    2007-01-24 16:00 88,340 --a------ C:\WINDOWS\system32\ebvuquvg.exe
    2007-01-24 16:00 <DIR> d-------- C:\Temp
    2007-01-24 15:55 <DIR> d-------- C:\WINDOWS\erdnt
    2007-01-24 12:18 972,594 ---hs---- C:\WINDOWS\system32\vvvut.bak2
    2007-01-24 09:30 <DIR> d-------- C:\Program Files\HijackThis
    2007-01-23 12:18 957,983 ---hs---- C:\WINDOWS\system32\vvvut.bak1
    2007-01-23 12:18 88,340 --a------ C:\WINDOWS\system32\gdclcjth.exe
    2007-01-23 12:18 118,804 --a------ C:\WINDOWS\system32\knbwcuhu.dll
    2007-01-23 12:17 277,192 ---h----- C:\WINDOWS\system32\tuvvv.dll
    2007-01-19 16:05 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
    2007-01-19 16:05 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-01-19 16:05 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-01-19 16:05 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2007-01-19 16:05 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-01-19 16:05 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2007-01-12 12:38 22,541 --------- C:\WINDOWS\system32\ljjijhh.dll
    2007-01-12 11:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Ahead
    2007-01-12 10:55 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2007-01-11 12:14 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
    2007-01-09 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
    2007-01-02 16:05 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
    2007-01-02 10:38 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
    2007-01-02 10:38 26,384 --a------ C:\WINDOWS\system32\FM20ENU.DLL
    2007-01-02 10:38 15,872 --a------ C:\WINDOWS\system32\SCP32.DLL
    2007-01-02 10:38 1,129,232 --a------ C:\WINDOWS\system32\FM20.DLL
    2006-12-28 10:13 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-25 04:03 101 --a------ C:\WINDOWS\system32\tmp.bat
    2007-01-24 09:14 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\avg7
    2007-01-13 04:26 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-09 15:13 -------- d-------- C:\Program Files\Common Files\adobe
    2007-01-09 15:08 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\adobeum
    2007-01-02 11:07 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
    2007-01-02 10:38 -------- d-------- C:\Program Files\Common Files\installshield
    2006-12-20 08:48 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\utorrent
    2006-12-15 16:36 -------- d-------- C:\Program Files\microsoft frontpage
    2006-12-15 09:56 -------- d-------- C:\Program Files\download plugin
    2006-12-15 09:50 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\mozilla
    2006-12-15 09:10 177 --a------ C:\DelUS.bat
    2006-12-14 13:16 13860 --a------ C:\WINDOWS\system32\drivers\ndis3pkt.sys
    2006-12-14 12:39 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\geovid
    2006-12-14 09:00 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\smartftp
    2006-11-27 13:37 5 --a------ C:\WINDOWS\system32\wrnreg5.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
    "GoldenFTPserver"="C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\Golden FTP Server\\gftp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\knbwcuhu.dll\",setvm"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvv
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingho32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


    Completion time: 07-01-25 9:11:51
    C:\ComboFix2.txt ... 07-01-24 15:59
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
     
  5. synack23

    synack23 Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    4
    hijackthis log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:14:19 PM, on 1/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Ship_nt\Bin\poc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Ship_nt\BIN\applogic.exe
    C:\Ship_nt\BIN\absdatasvc.exe
    C:\Ship_nt\Bin\ADMINSVC.EXE
    C:\Ship_nt\ASA\win32\DBsrv9.EXE
    C:\Ship_nt\BIN\rate.exe
    C:\Ship_nt\BIN\comm.exe
    C:\Ship_nt\BIN\reportlogic.exe
    C:\Ship_nt\BIN\LabelFormat.exe
    C:\Ship_nt\BIN\revservice.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\INTEGR~1\FSI.exe
    C:\Integration\System\FSN.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Desktop\fix\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {32FF170E-3360-42BF-9572-6E38157AB48A} - C:\WINDOWS\system32\tuvvv.dll (file missing)
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
    O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)

    vundofix log file:

    VundoFix V2.15 by Atri
    --------------------------------------------------------------------------------------

    Listing files contained in the vundofix folder.
    --------------------------------------------------------------------------------------

    killvundo.bat
    process.exe
    ReadMe.txt
    vundo.reg
    vundofix.txt

    --------------------------------------------------------------------------------------

    Filepaths entered
    --------------------------------------------------------------------------------------

    The filepath entered was

    The second filepath entered was

    --------------------------------------------------------------------------------------

    Log from Process
    --------------------------------------------------------------------------------------


    Killing PID 644 'smss.exe'

    Killing PID 3012 'explorer.exe'
    Killing PID 3012 'explorer.exe'


    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    Killing PID 716 'winlogon.exe'
    --------------------------------------------------------------------------------------


    Fixing Registry
    --------------------------------------------------------------------------------------

    hopefully this puppy is dead!!!
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I hope so too! :D

    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {32FF170E-3360-42BF-9572-6E38157AB48A} - C:\WINDOWS\system32\tuvvv.dll (file missing)
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
    O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

    Close all applications and browser windows before you click "fix checked".

    Restart and post a new hijackthis log please.
     
  7. synack23

    synack23 Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    4
    here is the new log fix:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:11:09 AM, on 1/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Ship_nt\Bin\poc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Ship_nt\BIN\applogic.exe
    C:\Ship_nt\BIN\absdatasvc.exe
    C:\Ship_nt\Bin\ADMINSVC.EXE
    C:\Ship_nt\ASA\win32\DBsrv9.EXE
    C:\Ship_nt\BIN\rate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Ship_nt\BIN\comm.exe
    C:\Ship_nt\BIN\reportlogic.exe
    C:\Ship_nt\BIN\LabelFormat.exe
    C:\Ship_nt\BIN\revservice.exe
    C:\INTEGR~1\FSI.exe
    C:\Integration\System\FSN.exe
    C:\SHIP_NT\Lds\FxConWnd.exe
    C:\Documents and Settings\Administrator\Desktop\fix\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
    O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)

    Close all applications and browser windows before you click "fix checked".


    Click Here and download Killbox and save it to your desktop.



    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    Copy the following list of files to clipboard, CTRL+C to copy

    C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
    C:\WINDOWS\system32\wingho32.dll


    Now in Killbox go to File, Paste from clipboard.
    Click the All Files button.
    Click on the button that has the red circle with the X in the middle.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask if you want to reboot now,
    Click Yes.

    Note: It is possible that Killbox will tell you that the file does not exist.

    If your computer does not restart automatically then please restart it manually.
    If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


    After the reboot post your hijackthis log again and let me know if you still have problems.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537926

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice