do I have vurdo virus?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

synack23

Thread Starter
Joined
Jan 24, 2007
Messages
4
My system has AVG which ha found and quarantine the trojan.lop.as file about 50 times I get a lot of annoying pop-ups that I can't remove. Here's my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:03 AM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{C40F15AB-069D-1033-0130-020102280001}\Update.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Ship_nt\Bin\poc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Ship_nt\BIN\applogic.exe
C:\Ship_nt\BIN\absdatasvc.exe
C:\Ship_nt\Bin\ADMINSVC.EXE
C:\Ship_nt\ASA\win32\DBsrv9.EXE
C:\Ship_nt\BIN\rate.exe
C:\Ship_nt\BIN\comm.exe
C:\Ship_nt\BIN\reportlogic.exe
C:\Ship_nt\BIN\LabelFormat.exe
C:\Ship_nt\BIN\revservice.exe
C:\INTEGR~1\FSI.exe
C:\Integration\System\FSN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fedex.com/us/automation/fsm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{C40F15AB-069D-1033-0130-020102280001}] "C:\Program Files\Common Files\{C40F15AB-069D-1033-0130-020102280001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{C40F15AB-069E-1033-0130-020102280001}] "C:\Program Files\Common Files\{C40F15AB-069E-1033-0130-020102280001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\knbwcuhu.dll",setvm
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)


Any help would be great,

Mike
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115

synack23

Thread Starter
Joined
Jan 24, 2007
Messages
4
"CafeUser" - 07-01-25 9:08:52 Service Pack 2
ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))


2007-01-24 16:00 88,340 --a------ C:\WINDOWS\system32\ebvuquvg.exe
2007-01-24 16:00 <DIR> d-------- C:\Temp
2007-01-24 15:55 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-24 12:18 972,594 ---hs---- C:\WINDOWS\system32\vvvut.bak2
2007-01-24 09:30 <DIR> d-------- C:\Program Files\HijackThis
2007-01-23 12:18 957,983 ---hs---- C:\WINDOWS\system32\vvvut.bak1
2007-01-23 12:18 88,340 --a------ C:\WINDOWS\system32\gdclcjth.exe
2007-01-23 12:18 118,804 --a------ C:\WINDOWS\system32\knbwcuhu.dll
2007-01-23 12:17 277,192 ---h----- C:\WINDOWS\system32\tuvvv.dll
2007-01-19 16:05 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-19 16:05 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-19 16:05 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-19 16:05 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-19 16:05 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-19 16:05 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-12 12:38 22,541 --------- C:\WINDOWS\system32\ljjijhh.dll
2007-01-12 11:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Ahead
2007-01-12 10:55 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-11 12:14 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-01-09 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-02 16:05 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-01-02 10:38 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
2007-01-02 10:38 26,384 --a------ C:\WINDOWS\system32\FM20ENU.DLL
2007-01-02 10:38 15,872 --a------ C:\WINDOWS\system32\SCP32.DLL
2007-01-02 10:38 1,129,232 --a------ C:\WINDOWS\system32\FM20.DLL
2006-12-28 10:13 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-25 04:03 101 --a------ C:\WINDOWS\system32\tmp.bat
2007-01-24 09:14 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\avg7
2007-01-13 04:26 -------- d--h----- C:\Program Files\installshield installation information
2007-01-09 15:13 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-09 15:08 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\adobeum
2007-01-02 11:07 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2007-01-02 10:38 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-20 08:48 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\utorrent
2006-12-15 16:36 -------- d-------- C:\Program Files\microsoft frontpage
2006-12-15 09:56 -------- d-------- C:\Program Files\download plugin
2006-12-15 09:50 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\mozilla
2006-12-15 09:10 177 --a------ C:\DelUS.bat
2006-12-14 13:16 13860 --a------ C:\WINDOWS\system32\drivers\ndis3pkt.sys
2006-12-14 12:39 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\geovid
2006-12-14 09:00 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\smartftp
2006-11-27 13:37 5 --a------ C:\WINDOWS\system32\wrnreg5.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"GoldenFTPserver"="C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\Golden FTP Server\\gftp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\knbwcuhu.dll\",setvm"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingho32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Completion time: 07-01-25 9:11:51
C:\ComboFix2.txt ... 07-01-24 15:59
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
 

synack23

Thread Starter
Joined
Jan 24, 2007
Messages
4
hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:14:19 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Ship_nt\Bin\poc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Ship_nt\BIN\applogic.exe
C:\Ship_nt\BIN\absdatasvc.exe
C:\Ship_nt\Bin\ADMINSVC.EXE
C:\Ship_nt\ASA\win32\DBsrv9.EXE
C:\Ship_nt\BIN\rate.exe
C:\Ship_nt\BIN\comm.exe
C:\Ship_nt\BIN\reportlogic.exe
C:\Ship_nt\BIN\LabelFormat.exe
C:\Ship_nt\BIN\revservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\INTEGR~1\FSI.exe
C:\Integration\System\FSN.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32FF170E-3360-42BF-9572-6E38157AB48A} - C:\WINDOWS\system32\tuvvv.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)

vundofix log file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 644 'smss.exe'

Killing PID 3012 'explorer.exe'
Killing PID 3012 'explorer.exe'


Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
--------------------------------------------------------------------------------------


Fixing Registry
--------------------------------------------------------------------------------------

hopefully this puppy is dead!!!
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I hope so too! :D

Run HJT again and put a check in the following:

O2 - BHO: (no name) - {32FF170E-3360-42BF-9572-6E38157AB48A} - C:\WINDOWS\system32\tuvvv.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

Close all applications and browser windows before you click "fix checked".

Restart and post a new hijackthis log please.
 

synack23

Thread Starter
Joined
Jan 24, 2007
Messages
4
here is the new log fix:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:09 AM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Ship_nt\Bin\poc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Ship_nt\BIN\applogic.exe
C:\Ship_nt\BIN\absdatasvc.exe
C:\Ship_nt\Bin\ADMINSVC.EXE
C:\Ship_nt\ASA\win32\DBsrv9.EXE
C:\Ship_nt\BIN\rate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Ship_nt\BIN\comm.exe
C:\Ship_nt\BIN\reportlogic.exe
C:\Ship_nt\BIN\LabelFormat.exe
C:\Ship_nt\BIN\revservice.exe
C:\INTEGR~1\FSI.exe
C:\Integration\System\FSN.exe
C:\SHIP_NT\Lds\FxConWnd.exe
C:\Documents and Settings\Administrator\Desktop\fix\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fedex.com/us/automation/fsm/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FedEx.lnk = C:\Ship_nt\Bin\poc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Imapi Helper - Unknown owner - C:\Documents and Settings\Administrator\My Documents\MSDS\ImapiHelper.exe (file missing)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check in the following:

O4 - HKCU\..\Run: [GoldenFTPserver] C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
O20 - Winlogon Notify: wingho32 - wingho32.dll (file missing)

Close all applications and browser windows before you click "fix checked".


Click Here and download Killbox and save it to your desktop.



Double-click on Killbox.exe to run it.
Put a tick by Delete on Reboot.
Copy the following list of files to clipboard, CTRL+C to copy

C:\Documents and Settings\Administrator\My Documents\Downloads\Golden FTP Server\gftp.exe
C:\WINDOWS\system32\wingho32.dll


Now in Killbox go to File, Paste from clipboard.
Click the All Files button.
Click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file.
Click Yes.
It will ask if you want to reboot now,
Click Yes.

Note: It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually.
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


After the reboot post your hijackthis log again and let me know if you still have problems.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top