Loads of rubbish and win blaster

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
Hi,

I just got a new ISP and since I have been getting loads of rubbish from the net. I dont know why my antivirus is not able to cope with all this anymore , I have trojans , spyware , pop ups and now win blaster which I cant find a solution to on the net. It keeps rebooting me. You name it, I've got it. And all this since I have the new ISP.

I would like to clean my computer. Any help would be highly appreciated.

Thanks in advance

Mike
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
Cheers mate !

there you go :

Logfile of HijackThis v1.99.1
Scan saved at 00:56:36, on 05/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
D:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
D:\WINDOWS\System32\TDispVol.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\00THotkey.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\WINDOWS\System32\explorer.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\System32\ezSP_Px.exe
D:\WINDOWS\System32\ponm.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
D:\WINDOWS\System32\uudtpy.exe
D:\WINDOWS\System32\xpchpcoj.exe
D:\WINDOWS\System32\spooIsv.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\XP\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.eu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TMESBS.EXE] D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [00THotkey] D:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: WLAN Client Utility.lnk = D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O15 - Trusted Zone: http://www.mks.com.pl
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A17E055-95C2-40EB-8683-71605B224C70}: NameServer = 194.204.159.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
 
Joined
Feb 15, 2004
Messages
12,302
you need to upgrade to XpSP2 when you are cleaned up!




http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx


you don't appear to have a firewall, even if you have a router you still
need
a software frewall, downlaod the one from the link below!



Comodo firewall. Sign up it's free!

http://www.personalfirewall.trustix.com/


Threads on comodo!

http://www.wilderssecurity.com/forumdisplay.php?f=31




Download ComboFix from
Here
or
Here
to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just
before Windows starts to load. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a
    HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its
running. That may cause it to stall





Download the pocket killbox

http://www.majorgeeks.com/Pocket_KillBox_d4709.html




Download AVG Anti-Spyware

http://www.ewido.net/en/


* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.






* Click here to download ATF Cleaner by Atribune and save it to your
desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html


* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)




Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with
the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do
not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



D:\WINDOWS\System32\explorer.exe
D:\WINDOWS\System32\uudtpy.exe
D:\WINDOWS\System32\neupaymw.dll
D:\WINDOWS\System32\cbqkqble.exe
D:\WINDOWS\System32\ponm.exe




Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.


Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,

http://www.spywareinfo.dk/download/mwav.exe


double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on
mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely
big so there is no way to copy the whole thing. I just need the
infected items list.



Post a new hijack this, the combolog, the Mwav scan log and the AVg antispware log!
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
Ok lets go :

O4 - HKLM\..\Run: [Windows Explorer] D:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\WINDOWS\System32\uudtpy.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "D:\WINDOWS\System32\neupaymw.dll",forkonce
O4 - HKLM\..\Run: [Spooler SubSystem App] D:\WINDOWS\System32\spooIsv.exe
O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\cbqkqble.exe (file missing)


these above mentioned files did not exist on the hijack this list , so could not delete them .



D:\WINDOWS\System32\explorer.exe
D:\WINDOWS\System32\uudtpy.exe
D:\WINDOWS\System32\neupaymw.dll
D:\WINDOWS\System32\cbqkqble.exe
D:\WINDOWS\System32\ponm.exe


All the above files were giving a "files do not exist"


New hijack this log is :

Logfile of HijackThis v1.99.1
Scan saved at 19:50:53, on 06/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\XP\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.eu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TMESBS.EXE] D:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: WLAN Client Utility.lnk = D:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O15 - Trusted Zone: http://www.mks.com.pl
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A17E055-95C2-40EB-8683-71605B224C70}: NameServer = 194.204.159.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: efeec - D:\WINDOWS\System32\efeec.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - D:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)


Combo log :

"XP" - 2007-07-06 19:43:43 - ComboFix 07-07-04.4 - Service Pack 1 FAT32


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\system32\urqrrro.dll
D:\WINDOWS\system32\nnnmmno.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\system32\explorer.exe


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-06 16:50 43,764 --a------ D:\WINDOWS\system32\swdcg.exe
2007-07-05 15:51 <DIR> d-------- D:\!KillBox
2007-07-05 15:30 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-05 14:18 51,200 --a------ D:\WINDOWS\nircmd.exe
2007-07-04 12:45 4,672 --a------ D:\WINDOWS\system32\xpchpcoj.exe
2007-07-04 12:32 4,672 --a------ D:\WINDOWS\system32\qsigqeiv.exe
2007-07-03 18:28 4,672 --a------ D:\WINDOWS\system32\gqhkkkba.exe
2007-06-28 11:33 4,608 --ah----- D:\WINDOWS\system32\gjcoo.exe
2007-06-28 10:58 149,344 --ah----- D:\WINDOWS\system32\ennaz.exe
2007-06-28 10:40 16,694 --ah----- D:\WINDOWS\system32\uukwt.exe
2007-06-28 10:37 28,780 --ah----- D:\WINDOWS\system32\xkuvqa.exe
2007-06-27 22:06 <DIR> d-------- D:\Program Files\SkanerOnline
2007-06-27 20:02 420,864 --ah----- D:\WINDOWS\system32\dbqlgeb.exe
2007-06-27 09:26 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-06-26 21:30 60,830 --ah----- D:\WINDOWS\system32\uamzboqk.exe
2007-06-09 20:19 <DIR> d-------- D:\DOCUME~1\XP\APPLIC~1\Gadu-Gadu
2007-06-09 20:12 <DIR> d-------- D:\Program Files\Gadu-Gadu


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 15:21 440056 --a------ D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
2004-08-13 17:42 155648 --a------ D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ d:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
2006-01-17 16:04 282624 --a------ D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"TMESBS.EXE"="D:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2002-08-07 11:24]
"TDispVol"="TDispVol.exe" [2002-03-02 12:40 D:\WINDOWS\system32\TDispVol.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 D:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-28 10:37]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:00]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-03 13:26]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efeec]
D:\WINDOWS\System32\efeec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=D:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=D:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=D:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^XP^Start Menu^Programs^Startup^MetaCafe.lnk]
path=D:\Documents and Settings\XP\Start Menu\Programs\Startup\MetaCafe.lnk
backup=D:\WINDOWS\pss\MetaCafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=D:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=D:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^officejet 6100.lnk]
path=D:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\officejet 6100.lnk
backup=D:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
D:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"D:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "D:\WINDOWS\System32\vnuyetud.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
D:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
D:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"D:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
D:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
D:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
D:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\[email protected]]
D:\Program Files\[email protected]\[email protected]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Vanisher]
C:\spywarevanisher-free\FreeScanner.exe -FastScan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TcmTray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
D:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 19:47:09
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 19:48:55 - machine was rebooted
D:\ComboFix2.txt ... 2007-07-05 14:25
D:\ComboFix-quarantined-files.txt ... 2007-07-06 19:48

--- E O F ---
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
AVG antispyware scan log :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:10:30 05/07/2007

+ Scan result:



HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-1390067357-1957994488-1343024091-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\awtqnkh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\awtqqom.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\awtrrqn.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\awtspnm.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxusqr.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxutut.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxwtsp.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxwuus.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxwvvu.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxxywv.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxyayy.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\byxyxxy.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\cbxvtqo.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\cbxxywu.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ddcaywt.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ddcdbay.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\efcawxv.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\efcayxv.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\efcbcaw.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\fccaaab.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\fccccay.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\fccyaab.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\fccyvvw.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\fccyvww.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\gebccay.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\hgggdee.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\hggghfd.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\hggghii.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\hgghhgh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\iifdcbc.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\iifefcc.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\iiffggh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\jkkhghe.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\khfcyaa.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\khfgffd.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ljjgghe.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ljjhhfg.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ljjjhhh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\mljhihh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\nnnljkl.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\nnnmlij.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\opnkhhf.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\opnlige.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\opnnkih.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\pmnljjh.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\pmnnnnl.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\qomklii.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ssqonlk.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\ssqqnnn.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\tuvurpm.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\tuvvsrr.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\urqnkhe.dll.vir -> Adware.Virtumonde : Cleaned.
D:\QooBox\Quarantine\D\WINDOWS\system32\vtutqpp.dll.vir -> Adware.Virtumonde : Cleaned.
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
The rest of the report I am not able to post .becoz ::::


You have included 22 images in your message. You are limited to using 20 images so please go back and correct the problem and then continue again.

Images include use of smilies, the vB code
 
Joined
Feb 15, 2004
Messages
12,302
fix this one with hijack this!

O20 - Winlogon Notify: efeec - D:\WINDOWS\System32\efeec.dll (file missing)

Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do
not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any. These files might not be there!



D:\WINDOWS\system32\xpchpcoj.exe
D:\WINDOWS\system32\qsigqeiv.exe
D:\WINDOWS\system32\gqhkkkba.exe
D:\WINDOWS\system32\gjcoo.exe
D:\WINDOWS\system32\ennaz.exe
D:\WINDOWS\system32\uukwt.exe
D:\WINDOWS\system32\xkuvqa.exe
D:\WINDOWS\system32\dbqlgeb.exe
D:\WINDOWS\system32\uamzboqk.exe



Please download http://www.atribune.org/ccount/click.php?id=4 to your
desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click
YES
· Once you click yes, your desktop will go blank as it starts removing
Vundo.
· When completed, it will prompt that it will shutdown your computer, click
OK.
· Turn your computer back on.


Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!


http://java.com/en/download/manual.jsp


go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.




Download Superantispyware (SAS):

http://www.superantispyware.com/supe....html?rid=3132


Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.


All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware
. SpyBot search and destroy
. AdAware SE personal



http://www.majorgeeks.com/downloads31.html


Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then
OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings

http://www.compu-docs.com/activex.htm



Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



make sure autoclean is enabled on the scans



post another log, the vundo, the super and the panda scan log!
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
I guess the site is missing in the below intructions :)


go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2007 at 01:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 01:54:38

Memory items scanned : 339
Memory threats detected : 0
Registry items scanned : 5519
Registry threats detected : 4
File items scanned : 63359
File threats detected : 11

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}
HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}
HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}\InprocServer32
HKCR\CLSID\{D483B73D-8943-45AF-AC98-67B6B20CA018}\InprocServer32#ThreadingModel
D:\WINDOWS\SYSTEM32\EFEEC.DLL

Adware.Tracking Cookie
D:\Documents and Settings\XP\Cookies\[email protected][2].txt
D:\Documents and Settings\XP\Cookies\[email protected][1].txt

Trojan.Downloader-Gen/HitItQuitIt
D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0096973.DLL

Adware.Vundo/Traff-2
D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097052.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097053.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{FEC8037E-18F1-41E6-BAA7-87D93073105B}\RP409\A0097054.EXE
D:\!KILLBOX\XPCHPCOJ.EXE
D:\!KILLBOX\QSIGQEIV.EXE
D:\!KILLBOX\GQHKKKBA.EXE
D:\!KILLBOX\XPCHPCOJ.EXE( 2)
 
Joined
Feb 15, 2004
Messages
12,302
How are things running now any better?


can you run/post the vundo log and run post the panda scna log?



Please download http://www.atribune.org/ccount/click.php?id=4 to your
desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click
YES
· Once you click yes, your desktop will go blank as it starts removing
Vundo.
· When completed, it will prompt that it will shutdown your computer, click
OK.
· Turn your computer back on.


Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!


http://java.com/en/download/manual.jsp


Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then
OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings

http://www.compu-docs.com/activex.htm



Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



make sure autoclean is enabled on the scans
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
Yes , things are much better, many thanks for the help , I am still doing the other scans and will keep you posted. I am still getting the re booting win blaster now and then.
 
Joined
Feb 15, 2004
Messages
12,302
where does it say win blaster is, what program is finding it and what is its location, post it's full path?

see this site for the removal of the blaster worm, also downlaod the patch!


http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=Sn

Also run a scna here and psot it's log if you still ahven't reoved the blaster?


Run an online antivirus check from

http://www.kaspersky.com/virusscanner

then run kaspersky online again BUT this time before you scan select scan
options and select EXTENDED BASES
 

kadziu

Thread Starter
Joined
Apr 22, 2007
Messages
53
Hi sorry for not getting back to you. I was out for a few days. It does not say anywhere that I have win blaster, but it keeps appearing now and then and keeps re booting me. I just remember that I had win blaster long ago and so I can tell by the symptoms, if you like, I have two disks as you must have noticed. I got rid of it from D but it was there all the time in C, and as I was not using C , I did not worry about it. But now it has appeared in D as well.

Thanks for the advice , I will scan and keep you updated.

Mike
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top