Solved: Can't update spyware progs

[neuronjockey]

Couldn't get updates for Spyware SD, couldn't install AOL's spyware prog- need C++ runtime but it is already installed. Thanks in advance for your help.

Neuronjockey

Logfile of HijackThis v1.99.1
Scan saved at 4:59:06 PM, on 1/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system\dllhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINNT\System32\MsiExec.exe
C:\ZZZZ\001\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: iifcyay - C:\WINNT\SYSTEM32\iifcyay.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

 

[khazars]

hi, welcome to TSG.


you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!


Comodo firewall. Sign up it's free!

http://www.personalfirewall.trustix.com/


Threads on comodo!

http://www.wilderssecurity.com/forumdisplay.php?f=31


Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Windows Host Services (DLLHOST32)
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



To deactivate Spyware Doctor's OnGuard Tools

* From within Spyware Doctor, click the "OnGuard" button on the left side.
* Uncheck "Activate OnGuard".

You can reenable it once your system is clean.



spysweeper.

Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Leave it disabled until we are finished here.


Also disable spybot's teatimer as well as it may also interfere with the fixes. You don't actually neeed 3 tools all doing the same thing as they can interfere with each other!



Download the Hoster from:

www.funkytoad.com/download/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.


Download SDFix and save it to your desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log




Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php




Download AVG Anti-Spyware

http://www.ewido.net/en/


* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html


* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O20 - Winlogon Notify: iifcyay - C:\WINNT\SYSTEM32\iifcyay.dll
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINNT\system\dllhost.exe
C:\WINNT\SYSTEM32\iifcyay.dll



Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.



reboot to normal mode and run a few online scans!



Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,

http://www.spywareinfo.dk/download/mwav.exe


double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely
big so there is no way to copy the whole thing. I just need the
infected items list.




post another hijack this log, the AVG Anti-Spyware log, sdfix log and the Mwav scan log.

 

[neuronjockey]

Hi Khazars. I got a little out of sequence with your instruction list. I ran AVG in normal mode after I downloaded the latest version and then ran it again in safe mode in the sequence you wanted. The safe mode log seemed to be identical to the normal mode log with one addition, a renamed file. The Kaspersky log found nothing new and performed a 2nd renaming action on the above mentioned file. Here are all the logs:


SDFix: Version 1.60

Fri 01/19/2007 - 11:39:34.14

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DLLHOST32

Path:
File Path - "C:\WINNT\system\dllhost.exe"

DLLHOST32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINNT\system\dllhost.exe - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted



Alternate Streams Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\WINNT\system32\iifcyay.dll
C:\WINNT\system32\iifffgg.dll
C:\WINNT\system32\iifcbax.dll
C:\WINNT\system32\xxyyxuu.dll
C:\WINNT\system32\byxxxwt.dll
C:\WINNT\system32\byxwuts.dll
C:\WINNT\system32\pmnmnmn.dll
C:\WINNT\system32\gebcyyv.dll
C:\WINNT\system32\tuvttsr.dll
C:\WINNT\system32\gebyayv.dll
C:\WINNT\system32\ssqopno.dll
C:\arcldr.exe
C:\arcsetup.exe
C:\PAGEFILE.SYS
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS

Finished


=====


AVG:

<history>
<!-- 01c73c635fc5b5d0 -->
<rec time="2007/01/20 05:29:47" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[1]</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Lop.AS</attr>
</rec>
<rec time="2007/01/20 05:29:51" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[2]</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Lop.AS</attr>
</rec>
<rec time="2007/01/20 05:30:02" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[1]</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 05:30:07" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTakenRestartRequired</value>
<attr name="filename">C:\Documents and Settings\ZaZa Zeezu\Local Settings\Temporary Internet Files\Content.IE5\8XIBOL27\lo1[2]</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 05:55:55" user="SYSTEM" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 05:56:08" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:921-904;iavi:651-623;</attr>
</rec>
<rec time="2007/01/20 05:56:13" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 05:56:22" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTakenRestartRequired</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 05:56:27" user="SYSTEM" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 05:56:29" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTakenRestartRequired</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 05:56:35" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTakenRestartRequired</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 05:56:59" user="SYSTEM" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINNT\System32\iifcyay.dll</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 05:58:29" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINNT\System32\algs.exe</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/Agobot.CBE</attr>
</rec>
<rec time="2007/01/20 06:00:52" user="ZaZa Zeezu" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/01/20 06:00:56" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\algs.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/Agobot.CBE</attr>
</rec>
<rec time="2007/01/20 06:01:40" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\iifffgg.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\iifcbax.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\xxyyxuu.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:41" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\byxxxwt.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:42" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\byxwuts.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:44" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\pmnmnmn.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:44" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\gebcyyv.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:45" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\tuvttsr.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:45" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\gebyayv.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:46" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\ssqopno.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.QCV</attr>
</rec>
<rec time="2007/01/20 06:01:46" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINNT\system32\algs.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/Agobot.CBE</attr>
</rec>
<rec time="2007/01/20 06:02:20" user="ZaZa Zeezu" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">12</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\algs.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\iifffgg.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\iifcbax.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\xxyyxuu.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\byxxxwt.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\byxwuts.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\pmnmnmn.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\gebcyyv.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\tuvttsr.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\gebyayv.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\ssqopno.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:02:21" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINNT\system32\algs.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/20 06:04:53" user="ZaZa Zeezu" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/01/20 06:17:58" user="ZaZa Zeezu" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\SDFix\backups\backups.zip</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">IRC/BackDoor.SdBot2.REN</attr>
</rec>
<rec time="2007/01/20 06:18:00" user="ZaZa Zeezu" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
<rec time="2007/01/20 06:18:00" user="ZaZa Zeezu" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\SDFix\backups\backups.zip</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
<rec time="2007/01/20 06:58:55" user="ZaZa Zeezu" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/01/20 07:19:50" user="ZaZa Zeezu" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
</history>

=====

Kaspersky:


This section was taken from body of log:

Sat Jan 20 09:26:26 2007 => Scanning Folder: C:\!KillBox\*.*
Sat Jan 20 09:26:26 2007 => Scanning Folder: C:\!KillBox\Logs\*.*
Sat Jan 20 09:26:26 2007 => Scanning File C:\!KillBox\Logs\kb.log
Sat Jan 20 09:26:27 2007 => Scanning File C:\!KillBox\dllhost.exe
Sat Jan 20 09:26:30 2007 => File C:\!KillBox\dllhost.exe infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.


This section was taken from end of log:

Sat Jan 20 09:27:09 2007 => ***** Scanning complete. *****

Sat Jan 20 09:27:09 2007 => Total Number of Files Scanned: 11991
Sat Jan 20 09:27:09 2007 => Total Number of Virus(es) Found: 1
Sat Jan 20 09:27:09 2007 => Total Number of Disinfected Files: 0
Sat Jan 20 09:27:09 2007 => Total Number of Files Renamed: 1
Sat Jan 20 09:27:09 2007 => Total Number of Deleted Files: 0
Sat Jan 20 09:27:09 2007 => Total Number of Errors: 2
Sat Jan 20 09:27:09 2007 => Time Elapsed: 00:26:45
Sat Jan 20 09:27:09 2007 => Virus Database Date: 2006/12/28
Sat Jan 20 09:27:09 2007 => Virus Database Count: 254631

=====

Logfile of HijackThis v1.99.1
Scan saved at 9:52:59 AM, on 1/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC63AA3F-DFA4-44FB-ADED-CF86534AA2D5}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

 

[khazars]

Make sure to post the next hijack this log in normal mode!

Have you the AVg scan log?



O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)


go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.



Download Superantispyware.

http://www.superantispyware.com/


Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!



All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware
. AdAware SE personal


http://www.majorgeeks.com/downloads31.html



Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings

http://www.compu-docs.com/activex.htm


Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another log and the panda scan log!

 

[neuronjockey]

>>Have you the AVg scan log?

It's in the last message after the SDFix log.

Here are the latest results. I couldn't find any log save function in Panda, although this may be because Panda didn't find anything. When I came back to the computer after the Panda scan, There was no results of scan screen to cut and paste from or any link or button to save a log.

Neuronjockey


=====

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, January 23, 2007 5:59:15 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R146 22.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-23-2007 5:59:15 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 1-23-2007 12:16:16 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 164
ThreadCreationTime : 1-23-2007 12:16:22 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 160
ThreadCreationTime : 1-23-2007 12:16:23 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 1-23-2007 12:16:25 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 1-23-2007 12:16:25 PM
BasePriority : Normal
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 404
ThreadCreationTime : 1-23-2007 12:16:30 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 432
ThreadCreationTime : 1-23-2007 12:16:30 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:8 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 460
ThreadCreationTime : 1-23-2007 12:16:31 PM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:9 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 488
ThreadCreationTime : 1-23-2007 12:16:32 PM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:10 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 508
ThreadCreationTime : 1-23-2007 12:16:32 PM
BasePriority : Normal
FileVersion : 7.5.0.432
ProductVersion : 7.5.0.432
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:11 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 584
ThreadCreationTime : 1-23-2007 12:16:36 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:12 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 1-23-2007 12:16:38 PM
BasePriority : Normal
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:13 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 740
ThreadCreationTime : 1-23-2007 12:16:40 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:14 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 752
ThreadCreationTime : 1-23-2007 12:16:40 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:15 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 856
ThreadCreationTime : 1-23-2007 12:16:51 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:16 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1000
ThreadCreationTime : 1-23-2007 12:17:05 PM
BasePriority : Normal
FileVersion : 7.5.0.418
ProductVersion : 7.5.0.418
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:17 [sdhelp.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 1048
ThreadCreationTime : 1-23-2007 12:55:04 PM
BasePriority : Normal
FileVersion : 3.6.0.2026
ProductVersion : 3.6
ProductName : Spyware Doctor
CompanyName : PC Tools Research Pty Ltd

#:18 [swdoctor.exe]
FilePath : C:\PROGRA~1\SPYWAR~1\
ProcessID : 324
ThreadCreationTime : 1-23-2007 1:04:59 PM
BasePriority : Normal
FileVersion : 4.0.0.2621
ProductVersion : 3.6
ProductName : Spyware Doctor
CompanyName : PC Tools Research Pty Ltd
FileDescription : Spyware Doctor
InternalName : Spyware Doctor
LegalCopyright : Copyright (c) 2005. Distributed by PC Tools Research Pty Ltd
OriginalFilename : swdoctor.exe

#:19 [sol.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1124
ThreadCreationTime : 1-23-2007 1:05:56 PM
BasePriority : Normal
FileVersion : 5.00.2138.1
ProductVersion : 5.00.2138.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Solitaire Game Applet
InternalName : sol.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : sol.exe

#:20 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1260
ThreadCreationTime : 1-23-2007 1:09:37 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:21 [metapad.exe]
FilePath : C:\Program Files\Metapad\
ProcessID : 1180
ThreadCreationTime : 1-23-2007 1:13:21 PM
BasePriority : Normal


#:22 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
ProcessID : 1296
ThreadCreationTime : 1-23-2007 1:54:22 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:23 [sol.exe]
FilePath : C:\WINNT\System32\
ProcessID : 524
ThreadCreationTime : 1-23-2007 1:57:17 PM
BasePriority : Normal
FileVersion : 5.00.2138.1
ProductVersion : 5.00.2138.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Solitaire Game Applet
InternalName : sol.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : sol.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : zaza [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:zaza [email protected]/
Expires : 1-15-2027 5:58:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\DOCUME~1\ZAZAZE~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

6:01:52 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:36.414
Objects scanned:48671
Objects identified:1
Objects ignored:0
New critical objects:1


=====

SUPERAntiSpyware Scan Log
Generated 01/23/2007 at 08:14 AM

Application Version : 3.5.1016

Core Rules Database Version : 3170
Trace Rules Database Version: 1180

Scan type : Complete Scan
Total Scan Time : 00:36:16

Memory items scanned : 298
Memory threats detected : 0
Registry items scanned : 3492
Registry threats detected : 0
File items scanned : 15482
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\ZaZa Zeezu\Cookies\zaza [email protected][2].txt

Trojan.WinFixer
C:\WINNT\SYSTEM32\HGGFG.DLL

Adware.Vundo Variant
C:\WINNT\SYSTEM32\AWTSR.DLL

 

[khazars]

that is AVg anti virus, I asked you to download AVG antispyware formally known as Ewido which is a totally different program from AVG anti virus! You do not appear to be downlading any of the tools, comodo, AVG anti spyware etcor are you disabling them in msconfig? You need to allow these programs to run after they are instlaled to protect you or you'll jst keep getting viruses spyware etc!



Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.



Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

Go here and download the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then install the latest version you just downloaded!


http://java.com/en/download/manual.jsp

http://www.majorgeeks.com/download.php?det=4648

· Please post the contents of C:\vundofix.txt and a new HiJackThis log.



post another log and the AVg antispyware log!

 

[neuronjockey]

I tried to install Comodo firewall but it wouldn't install. I'm downloading another copy. Will I be able to run eMule and UTorrent with Comodo running? Configuring ports can be a pain in the buttsky. Also, I just downloaded AVG anti-spyware from Ewido and installed it. It was supposed to be a free 30 trial on the full featured version, but when I went to configure the Reports tab, the window said "Reports not Available". Help!

Neuronjockey

 

[khazars]

you can post at the wilders forum on configuring comodo form that. AVg is a free program, after the 30 day trial expires it cna be run as a limited free program!

 

[neuronjockey]

you can post at the wilders forum on configuring comodo form that. AVg is a free program, after the 30 day trial expires it cna be run as a limited free program!

The problem with AVG's 30 day trial period is that it wasn't full featured during the trial! I tried to access the Reports page and the Reports window had a message: "No Reports Available" which I assume to mean that I wouldn't be able to generate a report and post it here. I got the program off Ewido's website and the website said it was full-featured for 30 days, but, it wasn't. Do you have a work-around for this?

Neuronjockey

 

[khazars]

Nope, can you post a hijakc this log!


Download the Hoster from:

www.funkytoad.com/download/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.

 

[neuronjockey]

Turns out that after AVG Anti-spyware does the scan you get to save the log file. I have it below with the latest HJT log.:
=====

NORMAL MODE

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:56:34 AM 1/27/2007

+ Scan result:



Nothing found.



::Report end



=====



SAFE MODE


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:26:21 AM 1/27/2007

+ Scan result:



Nothing found.



::Report end


=====

Logfile of HijackThis v1.99.1
Scan saved at 12:22:10 PM, on 1/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC63AA3F-DFA4-44FB-ADED-CF86534AA2D5}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

 

[khazars]

Download the Hoster from:

www.funkytoad.com/download/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.




Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Windows Host Services (DLLHOST32)
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.




have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)


clean log!



You should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from


http://www.javacoolsoftware.com/downloads.html


get the hosts file from here.Unzip it to a folder!



http://www.mvps.org/winhelp2002/hosts.htm


put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

http://www.spywarewarrior.com/uiuc/resource.htm


Spyware Terminator

http://www.spywareterminator.com/dnl/landing.aspx


In spyware terminator, click real time protection and tick the box to use
real time protection and tick all the boxes except file exceptions shield.
If your confident in using its advanced feature, click advanced and tick
the HIPS box.

If you want to install and uninstall programs it is best to
temporarily disable Spyware terminator and then re-enable it after you
have installed or uninstalled a program as it will create a lot of pop ups asking you do you wish this to happen!

Right click spyware terminator on the bottom right of your status bar and
choose exit.Then tick the box and that is spyware terminator disabled!



Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/


Another good and free browser is Opera!

http://www.opera.com/


Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html


A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm



you can mark your own thread solved through thread tools at the top of
the page.