Solved: Trojan horse problems :(

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
Hi there

am a bit of a "techo phobe" - i have no idea what to do. I have recently had WindowsXP installed and since then have had nothing but trouble with the several Trojan Horse viruses. As I am just a beginner I am not sure what to do. I have AVG which runs but the problem I am having at the moment is that as soon as I log onto my PC it automatically dials up the internet connection. Is this part of the virus?

I downloaded the "HJTsetup.exe" and this is the log it came up with:

Logfile of HijackThis v1.99.1
Scan saved at 5:40:47 a.m., on 9/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\mcafeeWALLX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Please help....

Cheers

Crykey
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll

O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe

O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE

O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe

O16 - DPF: Win32 Classes -

O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\wvuuu.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
Hi there - thanks so much for your help

I did what you recommended...when I went to killbox to delete the file, it came up "file could not be deleted". However, (and I've probably made a major mistake here...sorry in advance) I still went in and deleted everything from the windows temp folder. I emptied the recyle bin and subsequently, the following is the log you requested:

NB: please keep in mind that I am not that computer literate and therefore any mistakes I make are not intentional!!! :eek:

Logfile of HijackThis v1.99.1
Scan saved at 6:38:07 a.m., on 9/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\mcafeeWALLX.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Look forward to your further assistance. Just to note that as soon as I restarted the computer, the automatic internet connection still went ahead.

Cheers


Crykey
 
Joined
Sep 7, 2004
Messages
49,014
Was afraid that might be the case - we need to do the following

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this
    VundoFix V2.15 by Atri
    By pressing enter you agree that you are using this at your own risk
  • At this point press enter one time.
  • Next you will see:
    Type in the filepath as instructed by the forum staff
    Then Press Enter
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\wvuuu.dll
  • Press Enter,
  • Next you will see:
    Please type in the second filepath as instructed by the forum staff
    Then Press Enter,
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\uuuvw.*
    If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:

    • O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll

      O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
Hi there...thanks again for your continuing help in this matter....here are following results:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:49 a.m., on 9/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\wvuuu.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O20 - Winlogon Notify: wvuuu - C:\WINDOWS\SYSTEM32\wvuuu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

***I will post the activescan details in another message as it will not post with this included (too many characters!)
and this is the vundofix.txt folder:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32uuuvw.*

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 140 'smss.exe'

Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'


Killing PID 216 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32uuuvw.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



***I followed all of your instructions...the active scan took quite some time. the only problem i encountered was in your instructions in hijackthis, you asked to check the following items ...and you named 2, but the first one:

02 - BHO:(no name)...etc was not on the list.

I trust this helps
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
and here are the active scan results....

here are the results from active scan:

Incident Status Location

Virus:Bck/Sdbot.GBN Disinfected Operating system
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuuu.dll
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/X10 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\us\Cookies\[email protected]2o7[1] (1).txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\FOUND.001\FILE0000.CHK
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q38FWH6J\raser[1].zip
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP2024
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP1764
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ssqqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wvuuu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qopqn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jkhii.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cbawx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hgdaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\efeba.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sstss.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\byvwu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\khhef.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\khfca.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Hijackthis\backups\backup-20060109-061543-993.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\GXQROPA3\raser[1].zip
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\us\Desktop\VundoFix\VundoFix\process.exe
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/X10 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\us\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\us\Cookies\[email protected][3].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\us\Cookies\[email protected][1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\WVUUU.DLL

look forward to hearing from you

thanks


crykey
 
Joined
Sep 7, 2004
Messages
49,014
Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
 
Joined
Sep 7, 2004
Messages
49,014
Do this also link at the bottom

Adware-Virtumundo Removal Tool v1.2 (Associated with WinFixer Popups)

Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.

If Virtumundo is not found, the tool will exit showing the log file.

If Virtumundo is found it will do the following:
Version 1.1
Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
Kill Internet Explorer and Explorer processes.
Rename the infected files with a .Vir extension (this is disable them from being run)
Remove the Browser Helper Object registry key
Adds a registry value to block file from running in Internet Explorer again.
Remove the Winlogon Notify registry key
Automatically restart the computer (via STOP error)
Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.


VirusScan will now be able to remove the files normally when you run an on-demand scan.

Download Link -> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
Thanks for your previous 2 messages...I have run the items as suggested (well...to the best of my knowledge I have done it correctly!!)

and I will post the adware-virtumundo, hijack log and ewido report individually - as follows:


[01/09/2006, 15:08:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\us\Desktop\VirtumundoBeGone.exe" )
[01/09/2006, 15:08:43] - Detected System Information:
[01/09/2006, 15:08:43] - Windows Version: 5.1.2600,
[01/09/2006, 15:08:43] - Current Username: us (Admin)
[01/09/2006, 15:08:43] - Windows is in NORMAL mode.
[01/09/2006, 15:08:43] - Searching for Browser Helper Objects:
[01/09/2006, 15:08:43] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} ()
[01/09/2006, 15:08:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/09/2006, 15:08:43] - Checking for HKLM\...\Winlogon\Notify\wvuuu
[01/09/2006, 15:08:43] - Found: HKLM\...\Winlogon\Notify\wvuuu - This is probably Virtumundo.
[01/09/2006, 15:08:43] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[01/09/2006, 15:08:43] - BHO list has been changed! Starting over...
[01/09/2006, 15:08:43] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} (MSEvents Object)
[01/09/2006, 15:08:43] - ALERT: Found MSEvents Object!
[01/09/2006, 15:08:43] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[01/09/2006, 15:08:43] - BHO 3: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[01/09/2006, 15:08:43] - Finished Searching Browser Helper Objects
[01/09/2006, 15:08:43] - *** Detected MSEvents Object
[01/09/2006, 15:08:43] - Trying to remove MSEvents Object...
[01/09/2006, 15:08:44] - Terminating Process: IEXPLORE.EXE
[01/09/2006, 15:08:45] - Terminating Process: RUNDLL32.EXE
[01/09/2006, 15:08:45] - Disabling Automatic Shell Restart
[01/09/2006, 15:08:45] - Terminating Process: EXPLORER.EXE
[01/09/2006, 15:08:46] - Suspending the NT Session Manager System Service
[01/09/2006, 15:08:46] - Terminating Windows NT Logon/Logoff Manager
[01/09/2006, 15:08:47] - Re-enabling Automatic Shell Restart
[01/09/2006, 15:08:47] - File to disable: C:\WINDOWS\system32\wvuuu.dll
[01/09/2006, 15:08:47] - Renaming C:\WINDOWS\system32\wvuuu.dll -> C:\WINDOWS\system32\wvuuu.dll.vir
[01/09/2006, 15:08:48] - File successfully renamed!
[01/09/2006, 15:08:48] - Removing HKLM\...\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[01/09/2006, 15:08:48] - Removing HKCR\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[01/09/2006, 15:08:48] - Adding Kill Bit for ActiveX for GUID: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[01/09/2006, 15:08:49] - Deleting ATLEvents/MSEvents Registry entries
[01/09/2006, 15:08:49] - Removing HKLM\...\Winlogon\Notify\wvuuu
[01/09/2006, 15:08:50] - Searching for Browser Helper Objects:
[01/09/2006, 15:08:50] - BHO 1: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[01/09/2006, 15:08:50] - BHO 2: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[01/09/2006, 15:08:50] - Finished Searching Browser Helper Objects
[01/09/2006, 15:08:50] - Finishing up...
[01/09/2006, 15:08:50] - A restart is needed.
[01/09/2006, 15:08:59] - Attempting to Restart via STOP error (Blue Screen!)
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
part 2 of the message...
this is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:21 p.m., on 9/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
page 3 of 3....

this is the ewido report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:56:22 p.m., 9/01/2006
+ Report-Checksum: BB5F1FCD

+ Scan result:

[216] C:\WINDOWS\system32\wvuuu.dll -> Downloader.ConHook.v : Cleaned with backup
[704] C:\WINDOWS\system32\wvuuu.dll -> Downloader.ConHook.v : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q38FWH6J\raser[1].zip -> Downloader.ConHook.n : Cleaned with backup
C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\GXQROPA3\dollar[1].zip -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][3].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1] (1).txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\us\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\98J9FTPK\cash[1].exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\98J9FTPK\cash[1].exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005292.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005292.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005302.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0005302.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006300.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006300.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006346.EXE -> Spyware.Background : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006381.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006381.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006388.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006388.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006395.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0006395.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{B0C6A5F6-4AD3-40A1-AB29-EDF5131E188C}\RP2\A0008448.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\cash09854ksa.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\cash09854ksa.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\cahs.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup
C:\cahs.exe/226a.exe -> Downloader.Adload.j : Cleaned with backup


::Report End




I hope this helps....let me know what else I need to do...thanks so much for your continuing guidance:)

Cheers


Crykey
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\jbi32.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
:( Hi there

followed your instructions and deleted the C:\WINDOWS\System32\jbi32.dll successfully
however when I went to delete everything in the temp folder as instructed, there was nothing to delete.

Anyway, have posted the log as requested:

Logfile of HijackThis v1.99.1
Scan saved at 6:53:24 a.m., on 10/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll
O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



I hope this helps...:)


Cheers


Crykey
 
Joined
Sep 7, 2004
Messages
49,014
Now you have something new!!!!!!!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this
    VundoFix V2.15 by Atri
    By pressing enter you agree that you are using this at your own risk
  • At this point press enter one time.
  • Next you will see:
    Type in the filepath as instructed by the forum staff
    Then Press Enter
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\awvtq.dll
  • Press Enter,
  • Next you will see:
    Please type in the second filepath as instructed by the forum staff
    Then Press Enter,
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\qtvwa.*
    If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:

    • O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll

      O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll

      O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll

      O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
 

crykey

Thread Starter
Joined
Jan 8, 2006
Messages
19
Hi there...

I will post all 3 results individually - here are the hijackthis log results:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:25 a.m., on 10/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\vtuvt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EE7F5C-B546-4A53-9597-8E5404F9BA04}: NameServer = 203.152.112.32 203.152.100.32
O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll (file missing)
O20 - Winlogon Notify: vtuvt - C:\WINDOWS\SYSTEM32\vtuvt.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top