1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan vundo? PLEASE HELP ME!! HJT log posted

Discussion in 'Earlier Versions of Windows' started by DLRGOLD, Jan 21, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    I think i have one of those trojan vundo thingies...
    Norton doesn't pick up any viruses, but on a prior scan my winupdate.exe file was infected with w32.spybot.worm which i quarantined and replaced...
    when i check my startup items with system mechanic i see an item called *VTURP with a command line that says:
    RUNDLL32.EXE C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun
    and a startup location of:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    if i try to disable it another one appears instantly
    and i can't delete or quarantine VTURP.DLL because its in use...
    is this a trojan vundo?
    I tried to install Ewido but i'm running on Win98 and it won't work...what should i do?
    heres my HJT log...someone please help me!!

    Logfile of HijackThis v1.99.1
    Scan saved at 10:41:07 PM, on 1/20/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www1.web3000.com/redir/iepage.asp?sku=210
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www1.web3000.com/redir/iebar.asp?sku=210
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAC.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [winupdate] \winupdate\winupdate.exe /auto
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunOnce: [*VTURP] rundll32.exe C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: Teoma Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"</SCRIPT>
    O8 - Extra context menu item: Dictionary Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"</SCRIPT>
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: Win32 Classes -
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    try this

    Run VundoFix and click Scan for Vundo
    Click Remove Vundo, and choose Yes when prompted to remove files
    Your Desktop will disappear for a moment
    Click OK when prompted to shutdown your computer
    Turn your computer back on. Post the contents of C:\vundofix.txt as well as a new HijackThis log

    I'm not sure if that works on 98 though
     
  3. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    thanks for the suggestion derek...
    but VundoFix says in the readme file that it only works on Win2k and XP systems...
    it also says to use MS-DOS to remove the vundo if you are running Win98...
    i have no idea how to do this...
    what should i do? are there any other ways to get rid of it?
     
  4. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    c'mon tech-people! there has to be somebody that can help me!
    Here's a new HJT log from today:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:08:11 PM, on 1/21/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www1.web3000.com/redir/iepage.asp?sku=210
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www1.web3000.com/redir/iebar.asp?sku=210
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAC.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [winupdate] \winupdate\winupdate.exe /auto
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunOnce: [*VTURP] rundll32.exe C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun
    O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: Teoma Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"</SCRIPT>
    O8 - Extra context menu item: Dictionary Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"</SCRIPT>
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www1.web3000.com/redir/iepage.asp?sku=210
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www1.web3000.com/redir/iebar.asp?sku=210

    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL

    O4 - HKLM\..\Run: [winupdate] \winupdate\winupdate.exe /auto



    now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select replace on reboot & use dummy , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\SYSTEM\VTURP.DLL

    Then on killbox top bar press tools/delete temp files, in the pop up box select anything that isn't greyed out

    then reboot


    when you reboot
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".


    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Reboot & post a fresh HJT log
     
  6. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    ok i did everything you said...
    my system seems to be running a little smoother...
    but the vturp thing is still listed in HJT...
    here's my new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:42:19 PM, on 1/22/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAC.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunOnce: [*VTURP] rundll32.exe C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: Teoma Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"</SCRIPT>
    O8 - Extra context menu item: Dictionary Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"</SCRIPT>
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    now boot to safe mode &
    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL
    O4 - HKLM\..\RunOnce: [*VTURP] rundll32.exe C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun


    reboot && post a fresh HJT log
     
  8. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    i tried what you said in both safe and normal modes but it didn't seem to change anything...
    everytime i reboot both entries are still there....
    here's a fresh HJT log from today:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:06:51 PM, on 1/23/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAC.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunOnce: [*VTURP] rundll32.exe C:\WINDOWS\SYSTEM\VTURP.DLL,CreateProtectProc rerun
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: Teoma Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"</SCRIPT>
    O8 - Extra context menu item: Dictionary Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"</SCRIPT>
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    OK we need to boot to dos to do it

    when you boot press F8 at boot time and select command prompt only

    on the black screen that will be there you will see a flashing C:>

    Type this exactly

    del C:\WINDOWS\SYSTEM\VTURP.DLL
    the after the confirmation message type this
    del C:\WINDOWS\SYSTEM\PRUTV.*

    make sure there is a space between del & C

    then type win & that sjhould boot windows

    If it doesn't then turn off at power button and turn on again

    & you should get some error messages about mising files at reboot

    ignore them as it proves the files have been deleted

    Then fix the HJT entries again and post a new a HJT log
     
  10. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    ok...i did what you said, it got rid of one of the entries and the "file not found" went away...
    but HJT still won't get rid of one them...even in safe mode...
    here's a fresh log:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:31:52 PM, on 1/23/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\SYSTEM\VTURP.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAC.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: Teoma Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"</SCRIPT>
    O8 - Extra context menu item: Dictionary Search - about:<SCRIPT>external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"</SCRIPT>
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Something is stopping that entry being fixed and all I can see is possibly spybot but it's normally teatimer taht blocks changes and I can't see taht running

    have you got a registry protector installed as well
     
  12. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    ok i think i got it...thanks
    didn't realize Spybot S&D had a BHO manager in it...
    i just used it instead of HJT and the entry was deleted permanantly...woohoo!
    anything else i should do? here's a fresh HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:32 PM, on 1/24/06
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhos;153t;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDSG.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Change Lines] C:\BACKUP\CHNGLINE.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O8 - Extra context menu item: Search &Infoseek - c:\windows\web\selmenu.htm
    O8 - Extra context menu item: Translate &Text - c:\windows\web\tranmenu.htm
    O8 - Extra context menu item: &Translate Page - c:\windows\web\urlmenu.htm
    O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
    O9 - Extra button: @Home - {AE9BF420-330B-11D4-87C1-005004810935} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSNChatFrame Class) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Looks good now

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

    and

    go to www.java.com & download the latest version of java 1.5.0.6

    install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java
     
  14. DLRGOLD

    DLRGOLD Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    20
    cool...thanks alot...
    oh i have one more problem...
    when i first found out my winupdate.exe file was infected with w32.spybot.worm
    i accidentally removed it without replacing it, and i got a message that said it was missing and the system needed it to open applications...
    while it was still missing i tried to open my cd-rom drive and it wouldn't open...
    it just made this swishing sound...
    now every time i restart it makes the same sound and it still won't open...
    any idea how to fix this?
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    That was probably alcan not spybot so try this

    Make a new folder at this location
    C:\ called "BFU"
    Download/save (not open) Brute Force Uninstaller, By Merijn author of Hijackthis.
    from one of these locations
    http://www.merijn.org/files/bfu.zip
    extract the files inside and place them in the BFU folder
    Doubleclick on BFU.exe, Click the round green icon (open script URL)
    copy then paste in the contents of the code box

    Code:
    http://metallica.geekstogo.com/p2pnetwork.bfu
    
    
    Then click execute, when it is finished restart the PC.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435875

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice