1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HT log for My Mate

Discussion in 'Virus & Other Malware Removal' started by eddie5659, Feb 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    35,186
    Hiya

    My gaming clan ( I know, sad) have asked me to look at their pc's due to slowness when gaming etc. So, this will be the first, and others to follow in new threads. If all clear from spyware etc, I'll clean up their starting programs ;)



    Logfile of HijackThis v1.99.1
    Scan saved at 1:28:24 AM, on 2/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    c:\program files\softwin\bitdefender10\bdmcon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Advanced Browser\browser.exe
    C:\Documents and Settings\Administrator\Desktop\New Folder (3)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megagames.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\gbmljybm.dll",setvm
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


    Thanks

    eddie
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
    Double-click VundoFix.exe to run it.
    click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HijackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
    ========================
    Download Superantispyware (SAS)

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
     
  3. golferbob

    golferbob

    Joined:
    May 18, 2004
    Messages:
    3,895
  4. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    35,186
    Thanks MFDnSC and golferbob :)


    VundoFix V6.3.6

    Checking Java version...

    Scan started at 1:03:06 AM 2/18/2007

    Listing files found while scanning....

    C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
    C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
    C:\WINDOWS\system32\aohmwoil.dll
    C:\WINDOWS\system32\byxussq.dll
    C:\WINDOWS\system32\cmjsnaaq.exe
    C:\WINDOWS\system32\gbmljybm.dll
    C:\WINDOWS\system32\gnllfroa.dll
    C:\WINDOWS\system32\knhkirvk.dll
    C:\WINDOWS\system32\kpnqnopw.exe
    C:\WINDOWS\system32\kvrikhnk.ini
    C:\WINDOWS\system32\liowmhoa.ini
    C:\WINDOWS\system32\lnnmp.bak1
    C:\WINDOWS\system32\lnnmp.bak2
    C:\WINDOWS\system32\lnnmp.ini
    C:\WINDOWS\system32\lnnmp.tmp
    C:\WINDOWS\system32\mbyjlmbg.ini
    C:\WINDOWS\system32\meqfegkv.dll
    C:\WINDOWS\system32\myyvelev.exe
    C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\system32\ppqdhgov.dll
    C:\WINDOWS\system32\udbfdmga.dll
    C:\WINDOWS\system32\vkgefqem.ini
    C:\WINDOWS\system32\wgbtndsv.dll

    Beginning removal...

    Attempting to delete C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
    C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

    Attempting to delete C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
    C:\Documents and settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

    Attempting to delete C:\WINDOWS\system32\aohmwoil.dll
    C:\WINDOWS\system32\aohmwoil.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\byxussq.dll
    C:\WINDOWS\system32\byxussq.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\cmjsnaaq.exe
    C:\WINDOWS\system32\cmjsnaaq.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gbmljybm.dll
    C:\WINDOWS\system32\gbmljybm.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gnllfroa.dll
    C:\WINDOWS\system32\gnllfroa.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\knhkirvk.dll
    C:\WINDOWS\system32\knhkirvk.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kpnqnopw.exe
    C:\WINDOWS\system32\kpnqnopw.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kvrikhnk.ini
    C:\WINDOWS\system32\kvrikhnk.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\liowmhoa.ini
    C:\WINDOWS\system32\liowmhoa.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lnnmp.bak1
    C:\WINDOWS\system32\lnnmp.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lnnmp.bak2
    C:\WINDOWS\system32\lnnmp.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lnnmp.ini
    C:\WINDOWS\system32\lnnmp.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mbyjlmbg.ini
    C:\WINDOWS\system32\mbyjlmbg.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\meqfegkv.dll
    C:\WINDOWS\system32\meqfegkv.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\myyvelev.exe
    C:\WINDOWS\system32\myyvelev.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\system32\pmnnl.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ppqdhgov.dll
    C:\WINDOWS\system32\ppqdhgov.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\udbfdmga.dll
    C:\WINDOWS\system32\udbfdmga.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vkgefqem.ini
    C:\WINDOWS\system32\vkgefqem.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wgbtndsv.dll
    C:\WINDOWS\system32\wgbtndsv.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    -------------------------------------------------------------------------------

    SUPERAntiSpyware Free Edition


    SUPERAntiSpyware Scan Log
    Generated 02/18/2007 at 01:44 AM

    Application Version : 3.5.1016

    Core Rules Database Version : 3184
    Trace Rules Database Version: 1194

    Scan type : Complete Scan
    Total Scan Time : 00:33:39

    Memory items scanned : 358
    Memory threats detected : 1
    Registry items scanned : 4679
    Registry threats detected : 31
    File items scanned : 28508
    File threats detected : 89

    Trojan.Virtumonde/Resident
    C:\WINDOWS\SYSTEM32\YQUANHHB.DLL
    C:\WINDOWS\SYSTEM32\YQUANHHB.DLL

    Unclassified.Oreans32
    HKLM\System\ControlSet001\Services\oreans32
    C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
    HKLM\System\ControlSet002\Services\oreans32
    HKLM\System\CurrentControlSet\Services\oreans32
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\administ[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    Adware.Vundo Variant
    HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}
    HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}\InprocServer32
    HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}\InprocServer32#ThreadingModel

    Adware.VSToolbar
    HKU\S-1-5-21-73586283-484061587-725345543-500\Software\Search Toolbar Corp
    C:\Documents and Settings\Administrator\Application Data\SearchToolbarCorp\Toolbar Vision
    C:\Documents and Settings\Administrator\Application Data\SearchToolbarCorp
    C:\Program Files\VSAdd-in

    Unclassified.Unknown Origin/System
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP1\A0000594.EXE

    Trojan.Downloader-Quake11
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP19\A0008950.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP20\A0009966.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP32\A0012162.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013308.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013311.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013312.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013313.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013317.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013320.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013321.DLL
    C:\VUNDOFIX BACKUPS\AOHMWOIL.DLL.BAD
    C:\VUNDOFIX BACKUPS\GBMLJYBM.DLL.BAD
    C:\VUNDOFIX BACKUPS\GNLLFROA.DLL.BAD
    C:\VUNDOFIX BACKUPS\KNHKIRVK.DLL.BAD
    C:\VUNDOFIX BACKUPS\MEQFEGKV.DLL.BAD
    C:\VUNDOFIX BACKUPS\PPQDHGOV.DLL.BAD
    C:\VUNDOFIX BACKUPS\UDBFDMGA.DLL.BAD

    Trojan.Downloader-WBRock
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013309.DLL
    C:\VUNDOFIX BACKUPS\BYXUSSQ.DLL.BAD

    Trojan.Downloader-Gen/LIB
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3FD8087-0CEB-4461-9421-E7D20C3761B0}\RP35\A0013323.DLL
    C:\VUNDOFIX BACKUPS\WGBTNDSV.DLL.BAD
    C:\WINDOWS\SYSTEM32\XGPDXGRY.DLL

    Trojan.Downloader-SpyTool
    C:\WINDOWS\SYSTEM32\DUAPSCJF.DLL
    C:\WINDOWS\SYSTEM32\KGESWLTS.DLL
    C:\WINDOWS\SYSTEM32\LGSDTEII.DLL
    C:\WINDOWS\SYSTEM32\NRRKDLPY.DLL

    ----------------------------------------------------------------------------------


    HijackThis




    Logfile of HijackThis v1.99.1
    Scan saved at 1:59:47 AM, on 2/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Advanced Browser\browser.exe
    C:\Documents and Settings\Administrator\Desktop\New Folder (3)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megagames.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    IE - Block Third party cookies
    1. Click on the Tools button on the Internet Explorer tool bar.
    2. Highlight and click on Internet options at the bottom of the Tools menu.
    3. Select the Privacy Tab of the Internet Options menu.
    4. Select the Advanced... button at the bottom of the screen.
    5. Select override automatic cookie handling button.
    6. To block third party cookies select block under "Third-party cookies".
    7. Select "always allow session cookies".
    8. Click on the OK button at the bottom of the screen.
    ============
    Looks good how are things


    Turn off restore points, boot, turn them back on – here’s how

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    35,186
    Thanks MFDnSC

    I assume its all clean now. Will look at startup stuff soon, and update that Java :)

    eddie
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/544826

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice