1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Loads of rubbish and win blaster

Discussion in 'Virus & Other Malware Removal' started by kadziu, Jul 4, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    Hi,

    I just got a new ISP and since I have been getting loads of rubbish from the net. I dont know why my antivirus is not able to cope with all this anymore , I have trojans , spyware , pop ups and now win blaster which I cant find a solution to on the net. It keeps rebooting me. You name it, I've got it. And all this since I have the new ISP.

    I would like to clean my computer. Any help would be highly appreciated.

    Thanks in advance

    Mike
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.
     
  3. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    Cheers mate !

    there you go :

    Logfile of HijackThis v1.99.1
    Scan saved at 00:56:36, on 05/07/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\SYSTEM32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    D:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    D:\WINDOWS\System32\TDispVol.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\WINDOWS\System32\00THotkey.exe
    D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    D:\WINDOWS\System32\explorer.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    D:\WINDOWS\System32\ezSP_Px.exe
    D:\WINDOWS\System32\ponm.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Skype\Phone\Skype.exe
    D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    D:\WINDOWS\System32\uudtpy.exe
    D:\WINDOWS\System32\xpchpcoj.exe
    D:\WINDOWS\System32\spooIsv.exe
    D:\WINDOWS\System32\rundll32.exe
    D:\WINDOWS\System32\rundll32.exe
    D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    D:\WINDOWS\System32\rundll32.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\XP\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.eu/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [TMESBS.EXE] D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [00THotkey] D:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
    O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Global Startup: WLAN Client Utility.lnk = D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O15 - Trusted Zone: http://www.mks.com.pl
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
    O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A17E055-95C2-40EB-8683-71605B224C70}: NameServer = 194.204.159.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you need to upgrade to XpSP2 when you are cleaned up!




    http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx


    you don't appear to have a firewall, even if you have a router you still
    need
    a software frewall, downlaod the one from the link below!



    Comodo firewall. Sign up it's free!

    http://www.personalfirewall.trustix.com/


    Threads on comodo!

    http://www.wilderssecurity.com/forumdisplay.php?f=31




    Download ComboFix from
    Here
    or
    Here
    to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just
    before Windows starts to load. If done right a Windows Advanced Options menu
    will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a
      HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its
    running. That may cause it to stall





    Download the pocket killbox

    http://www.majorgeeks.com/Pocket_KillBox_d4709.html




    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition
    files.
    * On the main screen select the icon "Update" then select the "Update now"
    link.
    * Next select the "Start Update" button, the update will start and a
    progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the
    screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select
    "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
    later in safe mode.






    * Click here to download ATF Cleaner by Atribune and save it to your
    desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
    O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
    O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
    O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)




    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with
    the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do
    not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    D:\WINDOWS\System32\explorer.exe
    D:\WINDOWS\System32\uudtpy.exe
    D:\WINDOWS\System32\neupaymw.dll
    D:\WINDOWS\System32\cbqkqble.exe
    D:\WINDOWS\System32\ponm.exe




    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning
    as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on
    "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little
    time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all
    actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen
    and save it to a text file on your system (make sure to remember where you
    saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.


    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav,

    http://www.spywareinfo.dk/download/mwav.exe


    double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on
    mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.



    Highlight the portion of the scan that lists infected items and hold
    CTRL + C to Copy then paste it here. The whole log with be extremely
    big so there is no way to copy the whole thing. I just need the
    infected items list.



    Post a new hijack this, the combolog, the Mwav scan log and the AVg antispware log!
     
  5. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    Ok lets go :

    O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
    O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
    O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
    O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)


    these above mentioned files did not exist on the hijack this list , so could not delete them .



    D:\WINDOWS\System32\explorer.exe
    D:\WINDOWS\System32\uudtpy.exe
    D:\WINDOWS\System32\neupaymw.dll
    D:\WINDOWS\System32\cbqkqble.exe
    D:\WINDOWS\System32\ponm.exe


    All the above files were giving a "files do not exist"


    New hijack this log is :

    Logfile of HijackThis v1.99.1
    Scan saved at 19:50:53, on 06/07/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Skype\Phone\Skype.exe
    D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
    D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    D:\WINDOWS\system32\notepad.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\XP\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.eu/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [TMESBS.EXE] D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Global Startup: WLAN Client Utility.lnk = D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O15 - Trusted Zone: http://www.mks.com.pl
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
    O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A17E055-95C2-40EB-8683-71605B224C70}: NameServer = 194.204.159.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: efeec - D:\WINDOWS\System32\efeec.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)


    Combo log :

    "XP" - 2007-07-06 19:43:43 - ComboFix 07-07-04.4 - Service Pack 1 FAT32


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    D:\WINDOWS\system32\urqrrro.dll
    D:\WINDOWS\system32\nnnmmno.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    D:\WINDOWS\system32\explorer.exe


    ((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


    2007-07-06 16:50 43,764 --a------ D:\WINDOWS\system32\swdcg.exe
    2007-07-05 15:51 <DIR> d-------- D:\!KillBox
    2007-07-05 15:30 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-07-05 14:18 51,200 --a------ D:\WINDOWS\nircmd.exe
    2007-07-04 12:45 4,672 --a------ D:\WINDOWS\system32\xpchpcoj.exe
    2007-07-04 12:32 4,672 --a------ D:\WINDOWS\system32\qsigqeiv.exe
    2007-07-03 18:28 4,672 --a------ D:\WINDOWS\system32\gqhkkkba.exe
    2007-06-28 11:33 4,608 --ah----- D:\WINDOWS\system32\gjcoo.exe
    2007-06-28 10:58 149,344 --ah----- D:\WINDOWS\system32\ennaz.exe
    2007-06-28 10:40 16,694 --ah----- D:\WINDOWS\system32\uukwt.exe
    2007-06-28 10:37 28,780 --ah----- D:\WINDOWS\system32\xkuvqa.exe
    2007-06-27 22:06 <DIR> d-------- D:\Program Files\SkanerOnline
    2007-06-27 20:02 420,864 --ah----- D:\WINDOWS\system32\dbqlgeb.exe
    2007-06-27 09:26 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
    2007-06-26 21:30 60,830 --ah----- D:\WINDOWS\system32\uamzboqk.exe
    2007-06-09 20:19 <DIR> d-------- D:\DOCUME~1\XP\APPLIC~1\Gadu-Gadu
    2007-06-09 20:12 <DIR> d-------- D:\Program Files\Gadu-Gadu


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 04:16 59032 --a------ D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2006-11-09 15:21 440056 --a------ D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
    2004-08-13 17:42 155648 --a------ D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-19 23:55 2403392 -ra------ d:\program files\google\googletoolbar3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
    2006-01-17 16:04 282624 --a------ D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="NvQTwk" []
    "TMESBS.EXE"="D:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2002-08-07 11:24]
    "TDispVol"="TDispVol.exe" [2002-03-02 12:40 D:\WINDOWS\system32\TDispVol.exe]
    "000StTHK"="000StTHK.exe" [2001-06-23 20:28 D:\WINDOWS\system32\000StTHK.exe]
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
    "AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-28 10:37]
    "!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:00]
    "Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20]
    "swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-03 13:26]
    "updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efeec]
    D:\WINDOWS\System32\efeec.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
    backup=D:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
    backup=D:\WINDOWS\pss\Metacafe.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=D:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^XP^Start Menu^Programs^Startup^MetaCafe.lnk]
    path=D:\Documents and Settings\XP\Start Menu\Programs\Startup\MetaCafe.lnk
    backup=D:\WINDOWS\pss\MetaCafe.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=D:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=D:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^officejet 6100.lnk]
    path=D:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\officejet 6100.lnk
    backup=D:\WINDOWS\pss\officejet 6100.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    D:\WINDOWS\System32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
    rundll32.exe "D:\WINDOWS\System32\vnuyetud.dll",forkonce

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
    "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    D:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    D:\Program Files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    "D:\Program Files\Microsoft Money\System\Money Express.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "D:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    D:\WINDOWS\System32\\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /installquiet

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    D:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
    D:\Program Files\Security iGuard\Security iGuard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\[email protected]]
    D:\Program Files\[email protected]\[email protected]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Vanisher]
    C:\spywarevanisher-free\FreeScanner.exe -FastScan

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
    D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TcmTray]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
    D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    D:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    D:\Program Files\Microsoft Works\wkfud.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-06 19:47:09
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-06 19:48:55 - machine was rebooted
    D:\ComboFix2.txt ... 2007-07-05 14:25
    D:\ComboFix-quarantined-files.txt ... 2007-07-06 19:48

    --- E O F ---
     
  6. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    AVG antispyware scan log :

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 17:10:30 05/07/2007

    + Scan result:



    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
    HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
    HKU\S-1-5-21-1390067357-1957994488-1343024091-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\awtqnkh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\awtqqom.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\awtrrqn.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\awtspnm.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxusqr.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxutut.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxwtsp.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxwuus.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxwvvu.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxxywv.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxyayy.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\byxyxxy.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\cbxvtqo.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\cbxxywu.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ddcaywt.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ddcdbay.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\efcawxv.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\efcayxv.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\efcbcaw.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\fccaaab.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\fccccay.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\fccyaab.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\fccyvvw.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\fccyvww.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\gebccay.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\hgggdee.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\hggghfd.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\hggghii.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\hgghhgh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\iifdcbc.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\iifefcc.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\iiffggh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\jkkhghe.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\khfcyaa.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\khfgffd.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ljjgghe.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ljjhhfg.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ljjjhhh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\mljhihh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\nnnljkl.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\nnnmlij.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\opnkhhf.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\opnlige.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\opnnkih.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\pmnljjh.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\pmnnnnl.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\qomklii.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ssqonlk.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\ssqqnnn.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\tuvurpm.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\tuvvsrr.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\urqnkhe.dll.vir -> Adware.Virtumonde : Cleaned.
    D:\QooBox\Quarantine\D\WINDOWS\system32\vtutqpp.dll.vir -> Adware.Virtumonde : Cleaned.
     
  7. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    The rest of the report I am not able to post .becoz ::::


    You have included 22 images in your message. You are limited to using 20 images so please go back and correct the problem and then continue again.

    Images include use of smilies, the vB code [​IMG]
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    fix this one with hijack this!

    O20 - Winlogon Notify: efeec - D:\WINDOWS\System32\efeec.dll (file missing)

    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.


    Note: It is possible that Killbox will tell you that one or more files do
    not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any. These files might not be there!



    D:\WINDOWS\system32\xpchpcoj.exe
    D:\WINDOWS\system32\qsigqeiv.exe
    D:\WINDOWS\system32\gqhkkkba.exe
    D:\WINDOWS\system32\gjcoo.exe
    D:\WINDOWS\system32\ennaz.exe
    D:\WINDOWS\system32\uukwt.exe
    D:\WINDOWS\system32\xkuvqa.exe
    D:\WINDOWS\system32\dbqlgeb.exe
    D:\WINDOWS\system32\uamzboqk.exe



    Please download http://www.atribune.org/ccount/click.php?id=4 to your
    desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click
    YES
    · Once you click yes, your desktop will go blank as it starts removing
    Vundo.
    · When completed, it will prompt that it will shutdown your computer, click
    OK.
    · Turn your computer back on.


    Go here and downlaod the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then instlall the latest version you just downloaded!


    http://java.com/en/download/manual.jsp


    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.




    Download Superantispyware (SAS):

    http://www.superantispyware.com/supe....html?rid=3132


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!


    * Double-click SUPERAntiSypware.exe and use the default settings for
    installation.
    * An icon will be created on your desktop. Double-click that icon to launch
    the program.
    * If asked to update the program definitions, click "Yes". If not, update
    the definitions before scanning by selecting "Check for Updates". (If you
    encounter any problems while downloading the updates, manually download and
    unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all
    others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your
    computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your
    computer.
    * After the scan is complete, a Scan Summary box will appear with
    potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete".
    Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware
    again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log.
    A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.


    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . SpyBot search and destroy
    . AdAware SE personal



    http://www.majorgeeks.com/downloads31.html


    Make sure your ActiveX controls are set as follows:

    Go to Internet Options - Security - Internet, press 'default level', then
    OK.
    Now press "Custom Level."

    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
    controls not marked as safe" to 'disable'.


    Active X settings

    http://www.compu-docs.com/activex.htm



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    make sure autoclean is enabled on the scans



    post another log, the vundo, the super and the panda scan log!
     
  9. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    I guess the site is missing in the below intructions :)


    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    see the post 8 above, maybe things got a bit screwed up!
     
  11. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/07/2007 at 01:53 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3266
    Trace Rules Database Version: 1277

    Scan type : Complete Scan
    Total Scan Time : 01:54:38

    Memory items scanned : 339
    Memory threats detected : 0
    Registry items scanned : 5519
    Registry threats detected : 4
    File items scanned : 63359
    File threats detected : 11

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}
    HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}
    HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}\InprocServer32
    HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}\InprocServer32#ThreadingModel
    D:\WINDOWS\SYSTEM32\EFEEC.DLL

    Adware.Tracking Cookie
    D:\Documents and Settings\XP\Cookies\[email protected][2].txt
    D:\Documents and Settings\XP\Cookies\[email protected][1].txt

    Trojan.Downloader-Gen/HitItQuitIt
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0096973.DLL

    Adware.Vundo/Traff-2
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097052.EXE
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097053.EXE
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097054.EXE
    D:\!KILLBOX\XPCHPCOJ.EXE
    D:\!KILLBOX\QSIGQEIV.EXE
    D:\!KILLBOX\GQHKKKBA.EXE
    D:\!KILLBOX\XPCHPCOJ.EXE( 2)
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    How are things running now any better?


    can you run/post the vundo log and run post the panda scna log?



    Please download http://www.atribune.org/ccount/click.php?id=4 to your
    desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click
    YES
    · Once you click yes, your desktop will go blank as it starts removing
    Vundo.
    · When completed, it will prompt that it will shutdown your computer, click
    OK.
    · Turn your computer back on.


    Go here and downlaod the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then instlall the latest version you just downloaded!


    http://java.com/en/download/manual.jsp


    Make sure your ActiveX controls are set as follows:

    Go to Internet Options - Security - Internet, press 'default level', then
    OK.
    Now press "Custom Level."

    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
    controls not marked as safe" to 'disable'.


    Active X settings

    http://www.compu-docs.com/activex.htm



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    make sure autoclean is enabled on the scans
     
  13. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    Yes , things are much better, many thanks for the help , I am still doing the other scans and will keep you posted. I am still getting the re booting win blaster now and then.
     
  14. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    where does it say win blaster is, what program is finding it and what is its location, post it's full path?

    see this site for the removal of the blaster worm, also downlaod the patch!


    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=Sn

    Also run a scna here and psot it's log if you still ahven't reoved the blaster?


    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner

    then run kaspersky online again BUT this time before you scan select scan
    options and select EXTENDED BASES
     
  15. kadziu

    kadziu Thread Starter

    Joined:
    Apr 22, 2007
    Messages:
    53
    Hi sorry for not getting back to you. I was out for a few days. It does not say anywhere that I have win blaster, but it keeps appearing now and then and keeps re booting me. I just remember that I had win blaster long ago and so I can tell by the symptoms, if you like, I have two disks as you must have noticed. I got rid of it from D but it was there all the time in C, and as I was not using C , I did not worry about it. But now it has appeared in D as well.

    Thanks for the advice , I will scan and keep you updated.

    Mike
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/591799

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice