1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan horse problems :(

Discussion in 'Virus & Other Malware Removal' started by crykey, Jan 8, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    Hi there

    am a bit of a "techo phobe" - i have no idea what to do. I have recently had WindowsXP installed and since then have had nothing but trouble with the several Trojan Horse viruses. As I am just a beginner I am not sure what to do. I have AVG which runs but the problem I am having at the moment is that as soon as I log onto my PC it automatically dials up the internet connection. Is this part of the virus?

    I downloaded the "HJTsetup.exe" and this is the log it came up with:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:40:47 a.m., on 9/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\mcafeeWALLX.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
    O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
    O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    Please help....

    Cheers

    Crykey
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HJT – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll

    O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe

    O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE

    O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe

    O16 - DPF: Win32 Classes -

    O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM32\wvuuu.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  3. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    Hi there - thanks so much for your help

    I did what you recommended...when I went to killbox to delete the file, it came up "file could not be deleted". However, (and I've probably made a major mistake here...sorry in advance) I still went in and deleted everything from the windows temp folder. I emptied the recyle bin and subsequently, the following is the log you requested:

    NB: please keep in mind that I am not that computer literate and therefore any mistakes I make are not intentional!!! :eek:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:38:07 a.m., on 9/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\mcafeeWALLX.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


    Look forward to your further assistance. Just to note that as soon as I restarted the computer, the automatic internet connection still went ahead.

    Cheers


    Crykey
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Was afraid that might be the case - we need to do the following

    Please print these instructions out for use in Safe Mode.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at.
      it should look like this
    • At this point press enter one time.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):
      • C:\WINDOWS\system32\wvuuu.dll
    • Press Enter,
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):
      • C:\WINDOWS\system32\uuuvw.*
      If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

    • The fix will run then HijackThis will open.
    • In HijackThis, please place a check next to the following items and click FIX CHECKED:

      • O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll

        O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
    • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    • Once your machine reboots please continue with the instructions below.

    Then, please run this online virus scan: ActiveScan

    Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
     
  5. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    Hi there...thanks again for your continuing help in this matter....here are following results:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:34:49 a.m., on 9/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    ***I will post the activescan details in another message as it will not post with this included (too many characters!)
    and this is the vundofix.txt folder:

    VundoFix V2.15 by Atri
    --------------------------------------------------------------------------------------

    Listing files contained in the vundofix folder.
    --------------------------------------------------------------------------------------

    ReadMe.txt
    killvundo.bat
    process.exe
    vundo.reg
    vundofix.txt

    --------------------------------------------------------------------------------------

    Filepaths entered
    --------------------------------------------------------------------------------------

    The filepath entered was C:\WINDOWS\system32uuuvw.*

    The second filepath entered was

    --------------------------------------------------------------------------------------

    Log from Process
    --------------------------------------------------------------------------------------


    Killing PID 140 'smss.exe'

    Killing PID 708 'explorer.exe'
    Killing PID 708 'explorer.exe'
    Killing PID 708 'explorer.exe'


    Killing PID 216 'winlogon.exe'
    --------------------------------------------------------------------------------------

    C:\WINDOWS\system32uuuvw.* Deleted sucessfully.

    Fixing Registry
    --------------------------------------------------------------------------------------



    ***I followed all of your instructions...the active scan took quite some time. the only problem i encountered was in your instructions in hijackthis, you asked to check the following items ...and you named 2, but the first one:

    02 - BHO:(no name)...etc was not on the list.

    I trust this helps
     
  6. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    and here are the active scan results....

    here are the results from active scan:

    Incident Status Location

    Virus:Bck/Sdbot.GBN Disinfected Operating system
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuuu.dll
    Spyware:spyware/virtumonde Not disinfected Windows Registry
    Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/X10 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Spyware/Virtumonde Not disinfected C:\FOUND.001\FILE0000.CHK
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q38FWH6J\raser[1].zip
    Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
    Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP2024
    Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP1764
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ssqqo.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wvuuu.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qopqn.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jkhii.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cbawx.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hgdaw.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\efeba.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sstss.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\byvwu.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\khhef.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\khfca.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Hijackthis\backups\backup-20060109-061543-993.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\GXQROPA3\raser[1].zip
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\us\Desktop\VundoFix\VundoFix\process.exe
    Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/X10 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
    Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\WVUUU.DLL

    look forward to hearing from you

    thanks


    crykey
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
    · Install ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido
    · It will prompt you to update click the OK button and it will go to the main screen
    · On the left side of the main screen click update
    · Click on Start and let it update.
    · DO NOT run a scan yet. You will do that later in safe mode.

    Restart your computer into safe mode now. Perform the following steps in safe mode:
    (Start tapping F8 at the first black screen after power up)

    Run Ewido:
    · Click on scanner
    · Click Complete System Scan and the scan will begin.
    · During the scan it will prompt you to clean files, click OK
    · When the scan is finished, look at the bottom of the screen and click the Save report button.
    · Save the report to your C: Drive
    This will take some time to run!
    Boot to normal mode
    Post that log and a new HiJack log
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do this also link at the bottom

    Adware-Virtumundo Removal Tool v1.2 (Associated with WinFixer Popups)

    Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.

    If Virtumundo is not found, the tool will exit showing the log file.

    If Virtumundo is found it will do the following:
    Version 1.1
    Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
    Kill Internet Explorer and Explorer processes.
    Rename the infected files with a .Vir extension (this is disable them from being run)
    Remove the Browser Helper Object registry key
    Adds a registry value to block file from running in Internet Explorer again.
    Remove the Winlogon Notify registry key
    Automatically restart the computer (via STOP error)
    Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.


    VirusScan will now be able to remove the files normally when you run an on-demand scan.

    Download Link -> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
     
  9. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    Thanks for your previous 2 messages...I have run the items as suggested (well...to the best of my knowledge I have done it correctly!!)

    and I will post the adware-virtumundo, hijack log and ewido report individually - as follows:


    [01/09/2006, 15:08:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\us\Desktop\VirtumundoBeGone.exe" )
    [01/09/2006, 15:08:43] - Detected System Information:
    [01/09/2006, 15:08:43] - Windows Version: 5.1.2600,
    [01/09/2006, 15:08:43] - Current Username: us (Admin)
    [01/09/2006, 15:08:43] - Windows is in NORMAL mode.
    [01/09/2006, 15:08:43] - Searching for Browser Helper Objects:
    [01/09/2006, 15:08:43] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} ()
    [01/09/2006, 15:08:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/09/2006, 15:08:43] - Checking for HKLM\...\Winlogon\Notify\wvuuu
    [01/09/2006, 15:08:43] - Found: HKLM\...\Winlogon\Notify\wvuuu - This is probably Virtumundo.
    [01/09/2006, 15:08:43] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
    [01/09/2006, 15:08:43] - BHO list has been changed! Starting over...
    [01/09/2006, 15:08:43] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} (MSEvents Object)
    [01/09/2006, 15:08:43] - ALERT: Found MSEvents Object!
    [01/09/2006, 15:08:43] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
    [01/09/2006, 15:08:43] - BHO 3: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
    [01/09/2006, 15:08:43] - Finished Searching Browser Helper Objects
    [01/09/2006, 15:08:43] - *** Detected MSEvents Object
    [01/09/2006, 15:08:43] - Trying to remove MSEvents Object...
    [01/09/2006, 15:08:44] - Terminating Process: IEXPLORE.EXE
    [01/09/2006, 15:08:45] - Terminating Process: RUNDLL32.EXE
    [01/09/2006, 15:08:45] - Disabling Automatic Shell Restart
    [01/09/2006, 15:08:45] - Terminating Process: EXPLORER.EXE
    [01/09/2006, 15:08:46] - Suspending the NT Session Manager System Service
    [01/09/2006, 15:08:46] - Terminating Windows NT Logon/Logoff Manager
    [01/09/2006, 15:08:47] - Re-enabling Automatic Shell Restart
    [01/09/2006, 15:08:47] - File to disable: C:\WINDOWS\system32\wvuuu.dll
    [01/09/2006, 15:08:47] - Renaming C:\WINDOWS\system32\wvuuu.dll -> C:\WINDOWS\system32\wvuuu.dll.vir
    [01/09/2006, 15:08:48] - File successfully renamed!
    [01/09/2006, 15:08:48] - Removing HKLM\...\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
    [01/09/2006, 15:08:48] - Removing HKCR\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
    [01/09/2006, 15:08:48] - Adding Kill Bit for ActiveX for GUID: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
    [01/09/2006, 15:08:49] - Deleting ATLEvents/MSEvents Registry entries
    [01/09/2006, 15:08:49] - Removing HKLM\...\Winlogon\Notify\wvuuu
    [01/09/2006, 15:08:50] - Searching for Browser Helper Objects:
    [01/09/2006, 15:08:50] - BHO 1: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
    [01/09/2006, 15:08:50] - BHO 2: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
    [01/09/2006, 15:08:50] - Finished Searching Browser Helper Objects
    [01/09/2006, 15:08:50] - Finishing up...
    [01/09/2006, 15:08:50] - A restart is needed.
    [01/09/2006, 15:08:59] - Attempting to Restart via STOP error (Blue Screen!)
     
  10. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    part 2 of the message...
    this is the hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:18:21 p.m., on 9/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  11. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    page 3 of 3....

    this is the ewido report:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 2:56:22 p.m., 9/01/2006
    + Report-Checksum: BB5F1FCD

    + Scan result:

    [216] C:\WINDOWS\system32\wvuuu.dll -> Downloader.ConHook.v : Cleaned with backup
    [704] C:\WINDOWS\system32\wvuuu.dll -> Downloader.ConHook.v : Cleaned with backup
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q38FWH6J\raser[1].zip -> Downloader.ConHook.n : Cleaned with backup
    C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\GXQROPA3\dollar[1].zip -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][3].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\98J9FTPK\cash[1].exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\98J9FTPK\cash[1].exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005292.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005292.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005302.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005302.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006300.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006300.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006346.EXE -> Spyware.Background : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006381.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006381.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006388.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006388.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006395.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006395.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0008448.exe -> Backdoor.SdBot.xd : Cleaned with backup
    C:\cash09854ksa.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\cash09854ksa.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\cahs.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\cahs.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup


    ::Report End




    I hope this helps....let me know what else I need to do...thanks so much for your continuing guidance:)

    Cheers


    Crykey
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HJT – mark them, close IE, click fix checked

    O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\jbi32.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  13. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    :( Hi there

    followed your instructions and deleted the C:\WINDOWS\System32\jbi32.dll successfully
    however when I went to delete everything in the temp folder as instructed, there was nothing to delete.

    Anyway, have posted the log as requested:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:53:24 a.m., on 10/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll
    O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



    I hope this helps...:)


    Cheers


    Crykey
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Now you have something new!!!!!!!

    Please print these instructions out for use in Safe Mode.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at.
      it should look like this
    • At this point press enter one time.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):
      • C:\WINDOWS\System32\awvtq.dll
    • Press Enter,
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):
      • C:\WINDOWS\system32\qtvwa.*
      If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

    • The fix will run then HijackThis will open.
    • In HijackThis, please place a check next to the following items and click FIX CHECKED:

      • O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll

        O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll

        O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll

        O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
    • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    • Once your machine reboots please continue with the instructions below.

    Then, please run this online virus scan: ActiveScan

    Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
     
  15. crykey

    crykey Thread Starter

    Joined:
    Jan 8, 2006
    Messages:
    19
    Hi there...

    I will post all 3 results individually - here are the hijackthis log results:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:21:25 a.m., on 10/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
    O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll (file missing)
    O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/432238

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice