1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: WinAntiSpyware/Vundo removal

Discussion in 'Virus & Other Malware Removal' started by dinobob, Jul 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Hi,

    I know there are tons of threads asking about how to get rid of these, but I'm still at a loss. I'm using Windows XP Professional with SP2. I update and run SpyBot regularly, and I have avast antivirus, but those can't seem to take care of these problems. Today I downloaded and ran VundoFix as well as Ad-Aware, both in safe mode. Ad-Aware found a bunch of stuff, which I deleted. VundoFix found four things, two of which it said it couldn't delete but would try upon reboot. So I rebooted in normal mode, and then it said it couldn't find those files (C:\WINDOWS\system32\gebcd.dll and \dcbeg.ini). What's going on? And what do I need to do to make sure my system is clean?

    Please help!
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!


    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Hi, thanks for your response. Here is the Hijack This log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:17:23 PM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\utyrbhar.dll",forkonce
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantispyware.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download this tool
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click on the file and choose install.


    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  5. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Ok, done. Here's the ComboFix log:


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\gsphqxeh.dll
    C:\WINDOWS\system32\mlpntyfm.dll
    C:\WINDOWS\system32\tcjiuaix.dll
    C:\WINDOWS\system32\utyrbhar.dll
    C:\WINDOWS\SYSTEM32\dcbeg.bak2
    C:\WINDOWS\SYSTEM32\dcbeg.ini
    C:\WINDOWS\SYSTEM32\hexqhpsg.ini
    C:\WINDOWS\SYSTEM32\rahbrytu.ini
    C:\WINDOWS\system32\gebcd.dll
    C:\WINDOWS\system32\awtropn.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    C:\WINDOWS\system32\gebcd.dll
    C:\WINDOWS\system32\awtropn.dll

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\OinUninstall.exe
    C:\Program Files\outerinfo\OiUninstaller.exe
    C:\Program Files\outerinfo\outerinfo.ico
    C:\WINDOWS\system32\drivers\fad.sys


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


    2007-07-08 15:55 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-07 15:36 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
    2007-07-06 19:57 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
    2007-07-06 13:59 <DIR> d-------- C:\Program Files\Lavasoft
    2007-07-06 13:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-07-06 13:41 <DIR> d--h----- C:\WINDOWS\SYSTEM32\GroupPolicy
    2007-07-06 13:33 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    2007-07-06 13:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
    2007-07-06 13:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
    2007-07-06 13:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
    2007-07-06 13:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
    2007-07-06 13:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-06 12:43 <DIR> d--hs---- C:\WINDOWS\CSC
    2007-06-27 12:37 266,336 --------- C:\WINDOWS\SYSTEM32\gebcd.dll
    2007-06-25 14:06 <DIR> d-------- C:\VundoFix Backups
    2007-06-25 13:30 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
    2007-06-25 13:27 31,254 --------- C:\WINDOWS\SYSTEM32\awtropn.dll
    2007-06-21 15:50 <DIR> d-------- C:\Program Files\DivX
    2007-06-19 21:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\BWKDLogs
    2007-06-19 21:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
    2007-06-19 21:38 <DIR> d-------- C:\Program Files\Bonjour
    2007-06-19 21:37 <DIR> d-------- C:\Program Files\Common Files\Kodak
    2007-06-19 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
    2007-06-19 21:30 <DIR> d-------- C:\Program Files\Kodak


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-08 20:11:56 1,839,908 --sh--w C:\WINDOWS\system32\dcbeg.bak1
    2007-07-08 18:34:25 -------- d-----w C:\Program Files\iTunes
    2007-07-03 19:40:08 36,538 ----a-w C:\WINDOWS\system32\nvModes.dat
    2007-06-28 11:57:46 -------- d-----w C:\DOCUME~1\Waterman\APPLIC~1\wsInspector
    2007-06-21 19:51:05 8,391 ----a-w C:\WINDOWS\mozver.dat
    2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
    2007-05-16 21:11:01 -------- d-----w C:\Program Files\iPod
    2007-05-16 21:10:21 -------- d-----w C:\Program Files\QuickTime
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-10 01:48:55 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2003-11-03 18:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 04:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
    2004-03-15 02:04 118836 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6801F2A1-3F64-40BA-B4DB-2B21D308D625}]
    2007-06-27 12:37 266336 --------- C:\WINDOWS\system32\gebcd.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{694D83BF-6148-41AA-BDA2-7811447AA74F}]
    C:\WINDOWS\system32\pmnli.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    2003-05-15 04:03 147456 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4361F3C-702C-4A40-A2F2-4E66FCA98B03}]
    C:\WINDOWS\system32\jkklk.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}]
    2007-06-25 13:27 31254 --------- C:\WINDOWS\system32\awtropn.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 06:59 C:\WINDOWS\BCMSMMSG.exe]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 17:23]
    "DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2004-03-04 12:36]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
    "{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\awtropn.dll" [2007-06-25 13:27]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtropn]
    awtropn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
    C:\WINDOWS\system32\gebcd.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


    Contents of the 'Scheduled Tasks' folder
    2007-04-21 21:24:45 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2004-10-05 04:21:13 C:\WINDOWS\tasks\Symantec NetDetect.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-08 16:10:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\dcbeg.bak1

    scan completed successfully
    hidden files: 1

    **************************************************************************

    Completion time: 2007-07-08 16:13:50 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-08 16:13

    --- E O F ---
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\gebcd.dll
      C:\WINDOWS\system32\awtropn.dll
      C:\WINDOWS\system32\pmnli.dll
      C:\WINDOWS\system32\dcbeg.bak1


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  7. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Hi. Ok, I did everything you suggested. Here is the SUPERAntiSpyware log, followed by a new HijackThis log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/08/2007 at 08:35 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1277

    Scan type : Complete Scan
    Total Scan Time : 01:04:44

    Memory items scanned : 209
    Memory threats detected : 2
    Registry items scanned : 5674
    Registry threats detected : 110
    File items scanned : 56861
    File threats detected : 4

    Adware.Vundo Variant
    C:\WINDOWS\SYSTEM32\GEBCD.DLL
    C:\WINDOWS\SYSTEM32\GEBCD.DLL
    HKLM\Software\Classes\CLSID\{6493F66E-7050-4BAB-A223-141131351BBC}
    HKCR\CLSID\{6493F66E-7050-4BAB-A223-141131351BBC}
    HKCR\CLSID\{6493F66E-7050-4BAB-A223-141131351BBC}\InprocServer32
    HKCR\CLSID\{6493F66E-7050-4BAB-A223-141131351BBC}\InprocServer32#ThreadingModel
    HKLM\Software\Classes\CLSID\{694D83BF-6148-41AA-BDA2-7811447AA74F}
    HKCR\CLSID\{694D83BF-6148-41AA-BDA2-7811447AA74F}
    HKCR\CLSID\{694D83BF-6148-41AA-BDA2-7811447AA74F}\InprocServer32
    HKCR\CLSID\{694D83BF-6148-41AA-BDA2-7811447AA74F}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\PMNLI.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6493F66E-7050-4BAB-A223-141131351BBC}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{694D83BF-6148-41AA-BDA2-7811447AA74F}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\gebcd

    Trojan.Downloader-Gen/HitItQuitIt
    C:\WINDOWS\SYSTEM32\AWTROPN.DLL
    C:\WINDOWS\SYSTEM32\AWTROPN.DLL
    HKLM\Software\Classes\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtropn

    Unclassified.Unknown Origin/System
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4361F3C-702C-4A40-A2F2-4E66FCA98B03}
    HKCR\CLSID\{B4361F3C-702C-4A40-A2F2-4E66FCA98B03}
    HKCR\CLSID\{B4361F3C-702C-4A40-A2F2-4E66FCA98B03}\InprocServer32
    HKCR\CLSID\{B4361F3C-702C-4A40-A2F2-4E66FCA98B03}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\JKKLK.DLL

    Browser Hijacker.Internet Explorer Zone Hijack
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\www
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\www#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\br
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\br#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\cdn
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\cdn#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\de
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\de#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\download
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\download#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\download.cdn
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\download.cdn#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\go
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\go#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\instlog
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\instlog#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\kb
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\kb#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\nl
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\nl#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\se
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\se#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\secure
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\secure#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\utils
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\utils#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\www
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\www#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\download
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\download#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\go
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\go#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\www
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\www#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\br
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\br#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\de
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\de#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\download
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\download#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\es
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\es#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\fr
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\fr#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\go
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\go#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\hk
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\hk#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\instlog
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\instlog#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\kb
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\kb#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\secure
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\secure#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\support
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\support#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\ulog
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\ulog#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\utils
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\utils#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\www
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\www#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\br
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\br#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\download
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\download#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\fr
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\fr#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\instlog
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\instlog#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\utils
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\utils#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\www
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\www#*
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\www.utils
    HKU\S-1-5-21-547890692-3898949128-462829679-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\www.utils#*

    Adware.ClickSpring/Outer Info Network
    HKLM\Software\Outerinfo
    HKLM\Software\Outerinfo#InstallDirectory

    **********************************************************

    Logfile of HijackThis v1.99.1
    Scan saved at 8:48:14 PM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\jwpuaful.dll",forkonce
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.systemdoctor.com
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\jwpuaful.dll",forkonce
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.systemdoctor.com

    Close all applications and browser windows before you click "fix checked".


    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\jwpuaful.dll

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Download this tool
    http://www.mvps.org/winhelp2002/DelDomains.inf
    Right click on the file and choose install.




    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    • in the Additional scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Please post the resulting log here as an attachment.

    • Click on the orange Post a Reply! button
    • scroll down to Manage Attachments
    • Click in the box that says Upload File from your Computer
    • Click the Browse... button and find the file then click open
    • Click the Upload button
    • Wait until you see Current Attachment and your file name
    • Click on Close this window
    • Then submit the reply.
     
  9. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Ok. I did everything you suggested on this round. The WinPFind3u log is attached. Thank you very much for your help. We must be getting close--IE isn't opening by itself anymore....
     

    Attached Files:

  10. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Hi, I just wanted to let you know that I'm going out of the country tomorrow for three weeks (without my computer). But I'd really like to follow this through when I return. Can we please pick it up again then?

    Thanks again for your help.
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No problem. Just reply when you can.

    Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

    I will review the information when it comes back in.


    You can remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

    OTMoveIt by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders if you want to use that. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. Also remove OTMoveIt.

    SUPERAntiSpyware is a trial version so you can keep that until the trial is over and then uninstall.


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


    Here are some additional links for you to check out to help you with your computer security.

    Secunia software inspector & update checker

    Good free tools and advice on how to tighten your security settings.

    Security Help Tools
     
  12. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Hello again. I seem to be having trouble with WinPFind3U. It was taking *forever*, and when I called up the Windows Task Manager, it said the program wasn't responding. I tried re-downloading the program and running it again, but nothing changed.

    Ideas?
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      c:\windows\System32\igqlimoh.ini
      c:\windows\System32\lufaupwj.ini
      c:\windows\System32\tnllupjb.ini


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  14. dinobob

    dinobob Thread Starter

    Joined:
    Jul 6, 2007
    Messages:
    16
    Ok, I did that. I also used the OTMoveIt CleanUp! option and then turned on my system restore (I had turned it off when this whole thing started). Am I all set?
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you are not having any problems I think you are good to go!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592538

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice