1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Can't update spyware progs

Discussion in 'Virus & Other Malware Removal' started by neuronjockey, Jan 19, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    Couldn't get updates for Spyware SD, couldn't install AOL's spyware prog- need C++ runtime but it is already installed. Thanks in advance for your help.

    Neuronjockey

    Logfile of HijackThis v1.99.1
    Scan saved at 4:59:06 PM, on 1/18/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\system\dllhost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\uTorrent\utorrent.exe
    C:\WINNT\System32\MsiExec.exe
    C:\ZZZZ\001\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O20 - Winlogon Notify: iifcyay - C:\WINNT\SYSTEM32\iifcyay.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    you don't appear to have a firewall, even if you have a router you still need
    a software frewall, downlaod the one from the link below!


    Comodo firewall. Sign up it's free!

    http://www.personalfirewall.trustix.com/


    Threads on comodo!

    http://www.wilderssecurity.com/forumdisplay.php?f=31


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Windows Host Services (DLLHOST32)
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.

    Note: You may get an error here when trying to access the properties of the
    service. If you do get an error, just select the service and look there in
    the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



    To deactivate Spyware Doctor's OnGuard Tools

    * From within Spyware Doctor, click the "OnGuard" button on the left side.
    * Uncheck "Activate OnGuard".

    You can reenable it once your system is clean.



    spysweeper.

    Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

    Open Spysweeper and click on Options > Program Options.
    Uncheck "load at windows startup".
    On the left click "shields" and then uncheck everything there.
    Uncheck "home page shield".
    Uncheck "automatically restore default without notification".
    Exit the program.
    Leave it disabled until we are finished here.


    Also disable spybot's teatimer as well as it may also interfere with the fixes. You don't actually neeed 3 tools all doing the same thing as they can interfere with each other!



    Download the Hoster from:

    www.funkytoad.com/download/hoster.zip

    UnZip the file and press "Restore Original Hosts" and press "OK". Exit
    Program.


    Download SDFix and save it to your desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

    Please then reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    * Select the first option, to run Windows in Safe Mode, then press "Enter".
    * Choose your usual account.

    * In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    * Open the extracted folder and double click RunThis.bat to start the script.
    * Type Y to begin the script.
    * It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * Your system will take longer that normal to restart as the fixtool will be running and removing files.
    * When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    * Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log




    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php




    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition files.
    * On the main screen select the icon "Update" then select the "Update now" link.
    * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    O20 - Winlogon Notify: iifcyay - C:\WINNT\SYSTEM32\iifcyay.dll
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    C:\WINNT\system\dllhost.exe
    C:\WINNT\SYSTEM32\iifcyay.dll



    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.



    reboot to normal mode and run a few online scans!



    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav,

    http://www.spywareinfo.dk/download/mwav.exe


    double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.



    Highlight the portion of the scan that lists infected items and hold
    CTRL + C to Copy then paste it here. The whole log with be extremely
    big so there is no way to copy the whole thing. I just need the
    infected items list.




    post another hijack this log, the AVG Anti-Spyware log, sdfix log and the Mwav scan log.
     
  3. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    Hi Khazars. I got a little out of sequence with your instruction list. I ran AVG in normal mode after I downloaded the latest version and then ran it again in safe mode in the sequence you wanted. The safe mode log seemed to be identical to the normal mode log with one addition, a renamed file. The Kaspersky log found nothing new and performed a 2nd renaming action on the above mentioned file. Here are all the logs:


    SDFix: Version 1.60

    Fri 01/19/2007 - 11:39:34.14

    Microsoft Windows 2000 [Version 5.00.2195]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    DLLHOST32

    Path:
    File Path - "C:\WINNT\system\dllhost.exe"

    DLLHOST32 Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Files will be copied to Backups folder and removed:

    C:\WINNT\system\dllhost.exe - Deleted
    C:\WINNT\system32\i - Deleted
    C:\WINNT\Temp\removalfile.bat - Deleted



    Alternate Streams Check:

    C:\WINNT\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\NTDETECT.COM
    C:\WINNT\system32\iifcyay.dll
    C:\WINNT\system32\iifffgg.dll
    C:\WINNT\system32\iifcbax.dll
    C:\WINNT\system32\xxyyxuu.dll
    C:\WINNT\system32\byxxxwt.dll
    C:\WINNT\system32\byxwuts.dll
    C:\WINNT\system32\pmnmnmn.dll
    C:\WINNT\system32\gebcyyv.dll
    C:\WINNT\system32\tuvttsr.dll
    C:\WINNT\system32\gebyayv.dll
    C:\WINNT\system32\ssqopno.dll
    C:\arcldr.exe
    C:\arcsetup.exe
    C:\PAGEFILE.SYS
    C:\CONFIG.SYS
    C:\IO.SYS
    C:\MSDOS.SYS

    Finished


    =====


    AVG:

    <history>
    <!-- 01c73c635fc5b5d0 -->
    <rec time="2007/01/20 05:29:47" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[1]</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">Lop.AS</attr>
    </rec>
    <rec time="2007/01/20 05:29:51" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[2]</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">Lop.AS</attr>
    </rec>
    <rec time="2007/01/20 05:30:02" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[1]</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 05:30:07" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTakenRestartRequired</value>
    <attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[2]</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 05:55:55" user="SYSTEM" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 05:56:08" user="SYSTEM" source="Update">
    <value>@HL_UpdateOK</value>
    <attr name="version">avi:921-904;iavi:651-623;</attr>
    </rec>
    <rec time="2007/01/20 05:56:13" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 05:56:22" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTakenRestartRequired</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 05:56:27" user="SYSTEM" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 05:56:29" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTakenRestartRequired</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 05:56:35" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTakenRestartRequired</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 05:56:59" user="SYSTEM" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
    <attr name="finding">@EID_Id_trj</attr>
    <attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 05:58:29" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFindRS</value>
    <attr name="filename">C:\WINNT\System32\algs.exe</attr>
    <attr name="finding">@EID_Id_vir</attr>
    <attr name="virusname">Worm/Agobot.CBE</attr>
    </rec>
    <rec time="2007/01/20 06:00:52" user="ZaZa Zeezu" source="General">
    <value>@HL_TestStarted</value>
    <attr name="testname">@TestName_02</attr>
    </rec>
    <rec time="2007/01/20 06:00:56" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\algs.exe</attr>
    <attr name="type">@EID_Id_vir</attr>
    <attr name="what">Worm/Agobot.CBE</attr>
    </rec>
    <rec time="2007/01/20 06:01:40" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\iifffgg.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\iifcbax.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\xxyyxuu.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\byxxxwt.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:42" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\byxwuts.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:44" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\pmnmnmn.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:44" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\gebcyyv.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:45" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\tuvttsr.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:45" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\gebyayv.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:46" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\ssqopno.dll</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
    </rec>
    <rec time="2007/01/20 06:01:46" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\WINNT\system32\algs.exe</attr>
    <attr name="type">@EID_Id_vir</attr>
    <attr name="what">Worm/Agobot.CBE</attr>
    </rec>
    <rec time="2007/01/20 06:02:20" user="ZaZa Zeezu" source="General">
    <value>@HL_TestEnded</value>
    <attr name="testname">@TestName_02</attr>
    <attr name="infectedfiles">12</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\algs.exe</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\iifffgg.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\iifcbax.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\xxyyxuu.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\byxxxwt.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\byxwuts.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\pmnmnmn.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\gebcyyv.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\tuvttsr.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\gebyayv.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\ssqopno.dll</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\WINNT\system32\algs.exe</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    <rec time="2007/01/20 06:04:53" user="ZaZa Zeezu" source="General">
    <value>@HL_TestStarted</value>
    <attr name="testname">@TestName_02</attr>
    </rec>
    <rec time="2007/01/20 06:17:58" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">C:\SDFix\backups\backups.zip</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">IRC/BackDoor.SdBot2.REN</attr>
    </rec>
    <rec time="2007/01/20 06:18:00" user="ZaZa Zeezu" source="General">
    <value>@HL_TestEnded</value>
    <attr name="testname">@TestName_02</attr>
    <attr name="infectedfiles">1</attr>
    </rec>
    <rec time="2007/01/20 06:18:00" user="ZaZa Zeezu" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">C:\SDFix\backups\backups.zip</attr>
    <attr name="action">@HL_ActVVInserted</attr>
    </rec>
    <rec time="2007/01/20 06:58:55" user="ZaZa Zeezu" source="General">
    <value>@HL_TestStarted</value>
    <attr name="testname">@TestName_02</attr>
    </rec>
    <rec time="2007/01/20 07:19:50" user="ZaZa Zeezu" source="General">
    <value>@HL_TestEnded</value>
    <attr name="testname">@TestName_02</attr>
    <attr name="infectedfiles">0</attr>
    </rec>
    </history>

    =====

    Kaspersky:


    This section was taken from body of log:

    Sat Jan 20 09:26:26 2007 => Scanning Folder: C:\!KillBox\*.*
    Sat Jan 20 09:26:26 2007 => Scanning Folder: C:\!KillBox\Logs\*.*
    Sat Jan 20 09:26:26 2007 => Scanning File C:\!KillBox\Logs\kb.log
    Sat Jan 20 09:26:27 2007 => Scanning File C:\!KillBox\dllhost.exe
    Sat Jan 20 09:26:30 2007 => File C:\!KillBox\dllhost.exe infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.


    This section was taken from end of log:

    Sat Jan 20 09:27:09 2007 => ***** Scanning complete. *****

    Sat Jan 20 09:27:09 2007 => Total Number of Files Scanned: 11991
    Sat Jan 20 09:27:09 2007 => Total Number of Virus(es) Found: 1
    Sat Jan 20 09:27:09 2007 => Total Number of Disinfected Files: 0
    Sat Jan 20 09:27:09 2007 => Total Number of Files Renamed: 1
    Sat Jan 20 09:27:09 2007 => Total Number of Deleted Files: 0
    Sat Jan 20 09:27:09 2007 => Total Number of Errors: 2
    Sat Jan 20 09:27:09 2007 => Time Elapsed: 00:26:45
    Sat Jan 20 09:27:09 2007 => Virus Database Date: 2006/12/28
    Sat Jan 20 09:27:09 2007 => Virus Database Count: 254631

    =====

    Logfile of HijackThis v1.99.1
    Scan saved at 9:52:59 AM, on 1/20/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC63AA3F-DFA4-44FB-ADED-CF86534AA2D5}: NameServer = 207.69.188.187 207.69.188.186
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Make sure to post the next hijack this log in normal mode!

    Have you the AVg scan log?



    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)


    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.



    Download Superantispyware.

    http://www.superantispyware.com/


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!



    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html



    Make sure your ActiveX controls are set as follows:

    Go to Internet Options - Security - Internet, press 'default level', then OK.
    Now press "Custom Level."

    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
    controls not marked as safe" to 'disable'.


    Active X settings

    http://www.compu-docs.com/activex.htm


    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    post another log and the panda scan log!
     
  5. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    >>Have you the AVg scan log?

    It's in the last message after the SDFix log.

    Here are the latest results. I couldn't find any log save function in Panda, although this may be because Panda didn't find anything. When I came back to the computer after the Panda scan, There was no results of scan screen to cut and paste from or any link or button to save a log.

    Neuronjockey


    =====

    Ad-Aware SE Build 1.06r1
    Logfile Created on:Tuesday, January 23, 2007 5:59:15 AM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R146 22.01.2007
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Tracking Cookie(TAC index:3):1 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    1-23-2007 5:59:15 AM - Scan started. (Smart mode)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 140
    ThreadCreationTime : 1-23-2007 12:16:16 PM
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINNT\system32\
    ProcessID : 164
    ThreadCreationTime : 1-23-2007 12:16:22 PM
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ProcessID : 160
    ThreadCreationTime : 1-23-2007 12:16:23 PM
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 212
    ThreadCreationTime : 1-23-2007 12:16:25 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6700
    ProductVersion : 5.00.2195.6700
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 224
    ThreadCreationTime : 1-23-2007 12:16:25 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6695
    ProductVersion : 5.00.2195.6695
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : lsasrv.dll and lsass.exe

    #:6 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 404
    ThreadCreationTime : 1-23-2007 12:16:30 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:7 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 432
    ThreadCreationTime : 1-23-2007 12:16:30 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6659
    ProductVersion : 5.00.2195.6659
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolss.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : spoolss.exe

    #:8 [avgamsvr.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 460
    ThreadCreationTime : 1-23-2007 12:16:31 PM
    BasePriority : Normal
    FileVersion : 7.5.0.420
    ProductVersion : 7.5.0.420
    ProductName : AVG 7.5 Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Alert Manager
    InternalName : avgamsvr
    LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
    OriginalFilename : avgamsvr.EXE

    #:9 [avgupsvc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 488
    ThreadCreationTime : 1-23-2007 12:16:32 PM
    BasePriority : Normal
    FileVersion : 7.5.0.420
    ProductVersion : 7.5.0.420
    ProductName : AVG 7.5 Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Update Service
    InternalName : avgupsvc
    LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
    OriginalFilename : avgupdsvc.EXE

    #:10 [avgemc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 508
    ThreadCreationTime : 1-23-2007 12:16:32 PM
    BasePriority : Normal
    FileVersion : 7.5.0.432
    ProductVersion : 7.5.0.432
    ProductName : AVG Anti-Virus system
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG E-Mail Scanner
    InternalName : avgemc
    LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
    OriginalFilename : avgemc.exe

    #:11 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ProcessID : 584
    ThreadCreationTime : 1-23-2007 12:16:36 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:12 [mstask.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 644
    ThreadCreationTime : 1-23-2007 12:16:38 PM
    BasePriority : Normal
    FileVersion : 4.71.2195.6704
    ProductVersion : 4.71.2195.6704
    ProductName : Microsoft® Windows® Task Scheduler
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    LegalCopyright : Copyright (C) Microsoft Corp. 1997
    OriginalFilename : mstask.exe

    #:13 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ProcessID : 740
    ThreadCreationTime : 1-23-2007 12:16:40 PM
    BasePriority : Normal
    FileVersion : 1.50.1085.0100
    ProductVersion : 1.50.1085.0100
    ProductName : Windows Management Instrumentation
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

    #:14 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 752
    ThreadCreationTime : 1-23-2007 12:16:40 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:15 [explorer.exe]
    FilePath : C:\WINNT\
    ProcessID : 856
    ThreadCreationTime : 1-23-2007 12:16:51 PM
    BasePriority : Normal
    FileVersion : 5.00.3700.6690
    ProductVersion : 5.00.3700.6690
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : EXPLORER.EXE

    #:16 [avgcc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1000
    ThreadCreationTime : 1-23-2007 12:17:05 PM
    BasePriority : Normal
    FileVersion : 7.5.0.418
    ProductVersion : 7.5.0.418
    ProductName : AVG 7.5 Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC
    LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
    OriginalFilename : AvgCC.EXE

    #:17 [sdhelp.exe]
    FilePath : C:\Program Files\Spyware Doctor\
    ProcessID : 1048
    ThreadCreationTime : 1-23-2007 12:55:04 PM
    BasePriority : Normal
    FileVersion : 3.6.0.2026
    ProductVersion : 3.6
    ProductName : Spyware Doctor
    CompanyName : PC Tools Research Pty Ltd

    #:18 [swdoctor.exe]
    FilePath : C:\PROGRA~1\SPYWAR~1\
    ProcessID : 324
    ThreadCreationTime : 1-23-2007 1:04:59 PM
    BasePriority : Normal
    FileVersion : 4.0.0.2621
    ProductVersion : 3.6
    ProductName : Spyware Doctor
    CompanyName : PC Tools Research Pty Ltd
    FileDescription : Spyware Doctor
    InternalName : Spyware Doctor
    LegalCopyright : Copyright (c) 2005. Distributed by PC Tools Research Pty Ltd
    OriginalFilename : swdoctor.exe

    #:19 [sol.exe]
    FilePath : C:\WINNT\System32\
    ProcessID : 1124
    ThreadCreationTime : 1-23-2007 1:05:56 PM
    BasePriority : Normal
    FileVersion : 5.00.2138.1
    ProductVersion : 5.00.2138.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Solitaire Game Applet
    InternalName : sol.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : sol.exe

    #:20 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ProcessID : 1260
    ThreadCreationTime : 1-23-2007 1:09:37 PM
    BasePriority : Normal
    FileVersion : 6.00.2800.1106
    ProductVersion : 6.00.2800.1106
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:21 [metapad.exe]
    FilePath : C:\Program Files\Metapad\
    ProcessID : 1180
    ThreadCreationTime : 1-23-2007 1:13:21 PM
    BasePriority : Normal


    #:22 [ad-aware.exe]
    FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
    ProcessID : 1296
    ThreadCreationTime : 1-23-2007 1:54:22 PM
    BasePriority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    #:23 [sol.exe]
    FilePath : C:\WINNT\System32\
    ProcessID : 524
    ThreadCreationTime : 1-23-2007 1:57:17 PM
    BasePriority : Normal
    FileVersion : 5.00.2138.1
    ProductVersion : 5.00.2138.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Solitaire Game Applet
    InternalName : sol.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : sol.exe

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : zaza [email protected][2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:2
    Value : Cookie:zaza [email protected]/
    Expires : 1-15-2027 5:58:00 PM
    LastSync : Hits:2
    UseCount : 0
    Hits : 2

    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 1



    Deep scanning and examining files...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\WINNT
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1

    Disk Scan Result for C:\WINNT\system32
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1

    Disk Scan Result for C:\DOCUME~1\ZAZAZE~1\LOCALS~1\Temp\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1


    Scanning Hosts file......
    Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 1




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1

    6:01:52 AM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:02:36.414
    Objects scanned:48671
    Objects identified:1
    Objects ignored:0
    New critical objects:1


    =====

    SUPERAntiSpyware Scan Log
    Generated 01/23/2007 at 08:14 AM

    Application Version : 3.5.1016

    Core Rules Database Version : 3170
    Trace Rules Database Version: 1180

    Scan type : Complete Scan
    Total Scan Time : 00:36:16

    Memory items scanned : 298
    Memory threats detected : 0
    Registry items scanned : 3492
    Registry threats detected : 0
    File items scanned : 15482
    File threats detected : 3

    Adware.Tracking Cookie
    C:\Documents and Settings\ZaZa Zeezu\Cookies\zaza [email protected][2].txt

    Trojan.WinFixer
    C:\WINNT\SYSTEM32\HGGFG.DLL

    Adware.Vundo Variant
    C:\WINNT\SYSTEM32\AWTSR.DLL
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    that is AVg anti virus, I asked you to download AVG antispyware formally known as Ewido which is a totally different program from AVG anti virus! You do not appear to be downlading any of the tools, comodo, AVG anti spyware etcor are you disabling them in msconfig? You need to allow these programs to run after they are instlaled to protect you or you'll jst keep getting viruses spyware etc!



    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.



    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
    when VundoFix appears at reboot.

    Go here and download the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then install the latest version you just downloaded!


    http://java.com/en/download/manual.jsp

    http://www.majorgeeks.com/download.php?det=4648

    · Please post the contents of C:\vundofix.txt and a new HiJackThis log.



    post another log and the AVg antispyware log!
     
  7. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    I tried to install Comodo firewall but it wouldn't install. I'm downloading another copy. Will I be able to run eMule and UTorrent with Comodo running? Configuring ports can be a pain in the buttsky. Also, I just downloaded AVG anti-spyware from Ewido and installed it. It was supposed to be a free 30 trial on the full featured version, but when I went to configure the Reports tab, the window said "Reports not Available". Help!

    Neuronjockey
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you can post at the wilders forum on configuring comodo form that. AVg is a free program, after the 30 day trial expires it cna be run as a limited free program!
     
  9. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    The problem with AVG's 30 day trial period is that it wasn't full featured during the trial! I tried to access the Reports page and the Reports window had a message: "No Reports Available" which I assume to mean that I wouldn't be able to generate a report and post it here. I got the program off Ewido's website and the website said it was full-featured for 30 days, but, it wasn't. Do you have a work-around for this?

    Neuronjockey
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Nope, can you post a hijakc this log!


    Download the Hoster from:

    www.funkytoad.com/download/hoster.zip

    UnZip the file and press "Restore Original Hosts" and press "OK". Exit
    Program.
     
  11. neuronjockey

    neuronjockey Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    128
    Turns out that after AVG Anti-spyware does the scan you get to save the log file. I have it below with the latest HJT log.:
    =====

    NORMAL MODE

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:56:34 AM 1/27/2007

    + Scan result:



    Nothing found.



    ::Report end



    =====



    SAFE MODE


    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 7:26:21 AM 1/27/2007

    + Scan result:



    Nothing found.



    ::Report end


    =====

    Logfile of HijackThis v1.99.1
    Scan saved at 12:22:10 PM, on 1/30/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC63AA3F-DFA4-44FB-ADED-CF86534AA2D5}: NameServer = 207.69.188.187 207.69.188.186
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Download the Hoster from:

    www.funkytoad.com/download/hoster.zip

    UnZip the file and press "Restore Original Hosts" and press "OK". Exit
    Program.




    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Windows Host Services (DLLHOST32)
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.

    Note: You may get an error here when trying to access the properties of the
    service. If you do get an error, just select the service and look there in
    the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.




    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)


    clean log!



    You should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    http://www.spywarewarrior.com/uiuc/resource.htm


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/536479

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice