Plz Help! Webcry, Netster..etc Redirecting and Using Memory

Started by Specht15, March 25, 2007, 05:06:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Corrine

#15
March 26, 2007, 01:51:30 AM
Ok.  See you tomorrow evening then as I will be at work during the day (Eastern time). 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#16
March 26, 2007, 11:59:56 AM
Well it's still got some big problems Webcry and Netster are still popping up and it's still very slow, I think it may be getting a little better I don't know. Here's the scans...

Logfile of HijackThis v1.99.1
Scan saved at 6:56:11 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\?racle\l?ass.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\HJT\hijackthis\HJT.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E3AC45-6B85-3655-F04E-19E3379DADEC} - C:\WINDOWS\system32\lpxxnfdz.dll
O2 - BHO: (no name) - {207981A2-602B-4D20-A49D-FA2E2ED22862} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} - C:\WINDOWS\system32\vgttnm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [hoajyhc.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll",ibeqwid
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Eyxafs] "C:\Program Files\?racle\l?ass.exe"
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:   6:29:01 AM 3/26/2007

+ Scan result:   



C:\Program Files\Common Files\{106919D9-07CA-1033-0403-060503310001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{106919D9-07CA-1033-0403-060503310001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0053229.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057040.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057010.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0052177.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0052178.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win121.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057059.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053235.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053233.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058726.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054455.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053236.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win14B.tmp.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0053225.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057061.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058728.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win11F.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054263.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057058.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0057709.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058709.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058823.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\WINDOWS\svchost.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057131.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP382\A0057542.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058727.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvlib.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvpih.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win129.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057060.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054262.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wcpsu.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP358\A0050245.exe/zgo.exe -> Worm.Agent.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP358\A0050245.exe/run.exe -> Worm.VB.njc : Cleaned with backup (quarantined).


::Report end

Corrine

#17
March 26, 2007, 11:15:23 PM
Hi, Specht15.  You still have some work ahead of you because the Vundo installer is still on your computer.  Let's  try a different tool.  I suggest you print these instructions or save them to your desktop as you will be working from safe mode much of the time and will not be connected to the internet.

A  Please download VirtumundoBeGone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe and save it on your desktop.

B.  Please reboot your computer in SafeMode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
C.  Double-click VirtumundoBeGone and follow the instructions. Exit when it has finished.

D. While still in Safe Mode, launch HijackThis and do the following:

  • Click "Config" button
  • Click "Misc Tools" button
  • Click "Delete an NT Service" button
  • Place the bold text in the "Delete an NT Service" window exactly as it appears here:  COM+ Messages
E.  Still leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {15E3AC45-6B85-3655-F04E-19E3379DADEC} - C:\WINDOWS\system32\lpxxnfdz.dll
O2 - BHO: (no name) - {207981A2-602B-4D20-A49D-FA2E2ED22862} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} - C:\WINDOWS\system32\vgttnm.dll
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O4 - HKLM\..\Run: [hoajyhc.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll",ibeqwid
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [Eyxafs] "C:\Program Files\?racle\l?ass.exe"
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Click on Fix Checked when finished and exit HijackThis.

F. Using Windows Explorer, locate the following files, and delete them:

C:\Program Files\?racle\l?ass.exe
C:\WINDOWS\system32\lpxxnfdz.dll
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vgttnm.dll
C:\WINDOWS\system32\hgggedb.dll
C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll, ibeqwid
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\SYSTEM32\winhdn32.dll
C:\WINDOWS\system32\svchosts.exe  [Note: NOT singular svchost.exe)

Exit Explorer, and reboot as normal afterwards.

G.  Note: If you were unable to find any of the files in Step F. above, please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot.  For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

H.  Post the log created by VirtumondoBeGone as a reply along with a new HijackThis log.  Please let me know the status of your computer.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#18
March 27, 2007, 01:04:50 AM
I ran the scans and followed the instructions but it still feels slow though I'm pretty sure we've eliminated the pop-ups so that's good. Whenever I login from a reboot a little window pops up titled "Security" with an exclamation mark in a yellow circle or box saying something short about security or a program being shut down and it just has one box to click titled OK. I don't know if that matters. I can't thank you enough for all the help you're givin me. You're a lot of help!

[03/26/2007, 18:52:44] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 18:52:54] - Detected System Information:
[03/26/2007, 18:52:54] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 18:52:54] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 18:52:54] -  Windows is in SAFE mode with Networking.
[03/26/2007, 18:52:54] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vtuts
[03/26/2007, 18:52:54] -  Found: HKLM\...\Winlogon\Notify\vtuts - This is probably Virtumundo.
[03/26/2007, 18:52:54] -  Assigning {8F689B60-8058-47F5-9697-51AC8855C50E} MSEvents Object
[03/26/2007, 18:52:54] - BHO list has been changed! Starting over...
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] -  BHO 8: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:54] -  BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 10: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\hgggedb
[03/26/2007, 18:52:54] -  Found: HKLM\...\Winlogon\Notify\hgggedb - This is probably Virtumundo.
[03/26/2007, 18:52:54] -  Assigning {B8B843C0-8296-44B5-9D77-31FCC3CEE619} MSEvents Object
[03/26/2007, 18:52:54] - BHO list has been changed! Starting over...
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] -  BHO 8: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:54] -  BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 10: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:54] - *** Detected MSEvents Object
[03/26/2007, 18:52:54] - Trying to remove MSEvents Object...
[03/26/2007, 18:52:55] -    Terminating Process: IEXPLORE.EXE
[03/26/2007, 18:52:56] -    Terminating Process: RUNDLL32.EXE
[03/26/2007, 18:52:56] -    Disabling Automatic Shell Restart
[03/26/2007, 18:52:56] -    Terminating Process: EXPLORER.EXE
[03/26/2007, 18:52:56] -    Suspending the NT Session Manager System Service
[03/26/2007, 18:52:56] -    Terminating Windows NT Logon/Logoff Manager
[03/26/2007, 18:52:56] -    Re-enabling Automatic Shell Restart
[03/26/2007, 18:52:56] -   File to disable: C:\WINDOWS\system32\vtuts.dll
[03/26/2007, 18:52:56] -  Renaming C:\WINDOWS\system32\vtuts.dll -> C:\WINDOWS\system32\vtuts.dll.vir
[03/26/2007, 18:52:56] -  File successfully renamed!
[03/26/2007, 18:52:56] -   Removing HKLM\...\Browser Helper Objects\{8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Removing HKCR\CLSID\{8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Adding Kill Bit for ActiveX for GUID: {8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Deleting ATLEvents/MSEvents Registry entries
[03/26/2007, 18:52:56] -   Removing HKLM\...\Winlogon\Notify\vtuts
[03/26/2007, 18:52:56] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:56] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:57] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:57] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:57] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:57] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:57] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:57] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:57] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:57] -  BHO 9: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} (MSEvents Object)
[03/26/2007, 18:52:57] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:57] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:57] - *** Detected MSEvents Object
[03/26/2007, 18:52:57] - Trying to remove MSEvents Object...
[03/26/2007, 18:52:58] -    Terminating Process: IEXPLORE.EXE
[03/26/2007, 18:52:58] -    Terminating Process: RUNDLL32.EXE
[03/26/2007, 18:52:58] -    Disabling Automatic Shell Restart
[03/26/2007, 18:52:58] -    Terminating Process: EXPLORER.EXE
[03/26/2007, 18:52:58] -    Suspending the NT Session Manager System Service
[03/26/2007, 18:52:58] -    Terminating Windows NT Logon/Logoff Manager
[03/26/2007, 18:52:58] -    Re-enabling Automatic Shell Restart
[03/26/2007, 18:52:58] -   File to disable: C:\WINDOWS\system32\hgggedb.dll
[03/26/2007, 18:52:58] -  Renaming C:\WINDOWS\system32\hgggedb.dll -> C:\WINDOWS\system32\hgggedb.dll.vir
[03/26/2007, 18:52:58] -  File successfully renamed!
[03/26/2007, 18:52:58] -   Removing HKLM\...\Browser Helper Objects\{B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Removing HKCR\CLSID\{B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Adding Kill Bit for ActiveX for GUID: {B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Deleting ATLEvents/MSEvents Registry entries
[03/26/2007, 18:52:58] -   Removing HKLM\...\Winlogon\Notify\hgggedb
[03/26/2007, 18:52:58] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:58] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:58] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:58] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:58] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:58] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:58] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:58] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:58] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:58] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:58] - Finishing up...
[03/26/2007, 18:52:58] - A restart is needed.
[03/26/2007, 18:53:14] - Attempting to Restart via STOP error (Blue Screen!)

[03/26/2007, 18:57:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 18:57:08] - Detected System Information:
[03/26/2007, 18:57:08] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 18:57:08] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 18:57:08] -  Windows is in SAFE mode with Networking.
[03/26/2007, 18:57:08] - Searching for Browser Helper Objects:
[03/26/2007, 18:57:08] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:57:08] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:57:08] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:57:08] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:57:08] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:57:08] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:57:08] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:57:08] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:57:08] - Finished Searching Browser Helper Objects
[03/26/2007, 18:57:08] - Finishing up...
[03/26/2007, 18:57:08] - Nothing found! Exiting...

[03/26/2007, 19:28:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 19:28:49] - Detected System Information:
[03/26/2007, 19:28:49] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 19:28:49] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 19:28:49] -  Windows is in SAFE mode with Networking.
[03/26/2007, 19:28:49] - Searching for Browser Helper Objects:
[03/26/2007, 19:28:49] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 19:28:49] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 19:28:49] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 19:28:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 19:28:49] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 19:28:49] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 19:28:49] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 19:28:49] -  BHO 5: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 19:28:49] -  BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 19:28:49] - Finished Searching Browser Helper Objects
[03/26/2007, 19:28:49] - Finishing up...
[03/26/2007, 19:28:49] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 7:38:20 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\ECURIT~1\wucrtupd.exe" -vt ndrv
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)


Corrine

#19
March 27, 2007, 01:58:56 AM
Hi, Specht15.  You're welcome.  :rose:

You've made it through the difficult part.  That Vundo infection was one of the worst I have seen, coupled with other trojans.  In fact, I would suggest checking AVG Antispyware for updates and running another scan.

I meant to ask you about these before but wanted to take care of the Vundo infection first.  Now that it appears to be gone, note:

O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE

If these are games you have downloaded and need to register for, there should be another like to do so.  They don't need to be in Startup.  Besides, since they weren't removed when you ran ATF Cleaner leads me to believe that it would be best to remove them. 

I also hadn't addressed Viewpoint Manager.  It is a questionable AOL service that some are of the opinion is "foistware".  If you want to remove it, you will need to stop the service first and then remove it.  To do so, Restart your computer in Safe Mode and login on your usual account.  Launch HijackThis and do the following:

  • Click "Config" button
  • Click "Misc Tools" button
  • Click "Delete an NT Service" button
  • Place the bold text in the "Delete an NT Service" window exactly as it appears here:  Viewpoint Manager Service
Still leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

This would be the point to run a new AVG scan, just as you did here:  http://www.landzdown.com/index.php?topic=15396.msg48650#msg48650

You have also downloaded a lot of additional software.  a2 is still on your machine as is Trojan Hunter.  You can also remove VundoFix and Virtumundobegone. 

Have you decided what antivirus software and firewall you are going to use?  (See my post above with links and instructions for removing Norton if you decide on a different antivirus software.)

Granted, it is getting late for me (I start work pretty early in the a.m.) so I may not be seeing as clearly as I should.  However, I'm not spotting anything else in your log.  So, run through what I've written here, make your decisions about a firewall and antivirus software, do the cleanup and then post a fresh HijackThis log but from normal mode this time, not safe mode.  Also, please tell me if you are still noticing your computer feeling slow.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#20
March 27, 2007, 01:05:37 PM
I ran the scans and I think AVG did find some more things. I have noticed loading time's are getting much better and things are definitely returning to normal besides not having access to a couple programs. Also, everytime I log on there is a box titled "Security" that always immediately pops up. It's got an exclamation mark in a yellow triangle and the text "The security information is invalid or has been modified. This program will be terminated."

Logfile of HijackThis v1.99.1
Scan saved at 7:43:05 AM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\hijackthis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:37:39 AM 3/27/2007
+ Scan result:

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058857.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058858.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\HJT\hijackthis\backups\backup-20070326-064806-363.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058938.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hggfdaa.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hgggedb.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058856.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058852.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temp\!update.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temporary Internet Files\Content.IE5\45I299NQ\!update-4395[1].0000 -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0059190.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temporary Internet Files\Content.IE5\3E1NNF3J\ml[1].exe -> Downloader.Small.efh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058850.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058851.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@imeem.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Ares\Ares.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058854.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058855.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058853.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wcpsu.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Specht15

#21
March 27, 2007, 04:01:37 PM
I haven't really decided on what antivirus program or firewall to use I was planning on keeping AVG AntiSpyware and I have XoftSpySE installed. I'd like to use the best freeware available but I don't know what you'd suggest or what I'd need to do to set up a new one the right way.

Corrine

#22
March 27, 2007, 04:18:26 PM
I'm on my lunch break so don't have time to research your log but I can certainly *lecture* on the importance of a firewall and antivirus software.  ;)

Actually, these days there is an overlap in detection between antispyware and antivirus programs and many companies have "suites".  However, the "engines" are different and and a/v software does specialize in protecting your computer from viruses.

Everyone has different preferences, different experiences.  Since you are keeping AVG AntiSpyware (you will need to manually update when the trial period expires and the AVG Guard will no longer work), you might want to try one of the other two free A/V's I posted.  That "may" provide broader coverage.  I'm not one for "suites" as I would rather put all my eggs in one basket, but that's me.

There is such a thing as too much protection.  Getting Microsoft updates, having a good firewall, updated antivirus and antispyware sofware programs, real-time protection (i.e., WinPatrol) and SpywareBlaster.  Then, if there is a problem, do an online scan and/or run a different antispyware application.  Or come here.  :)



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#23
March 27, 2007, 05:45:45 PM
Awesome, that sounds good I think I'm just going to resubscribe to Norton. Thank you for the advice.

Corrine

#24
March 27, 2007, 09:21:05 PM
You're welcome.  Just don't wait too long to resubscribe to Norton.

I do believe that I found the culprit!  Please reboot to safe mode and remove the following with HijackThis.  Note that I've included the Zeus Learning item because your log at SWI was the only other finding.

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB

Using Windows Explorer, locate the following file and delete it:

C:\WINDOWS\system32\eofxdsew.dll

Exit Explorer, and reboot as normal afterwards.

Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (If th at link doesn't work for you, the download link is at the bottom of this page:  http://www.drweb-online.com/en/cure_it.asp?rpid=

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a fresh HijackThis log.
(P.S.  Don't forget to update Adobe and let me know how you're doing. ;) )
(P.P.S.  Seeing as how you're spending so much time with us, feel free to hang out in the LzD Lounge & play a game or read/share a joke in the Jokes forum :rose: )


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#25
March 28, 2007, 03:36:39 AM
I can't find any traces of the old Adobe it says I have 7.0.9 in Add or Remove Programs i can't find 7.0.8 anywhere.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:44 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

hoajyhc.dll;C:\Documents and Settings\Ryan Specht\Local Settings\Application Data;Trojan.DownLoader.based;Deleted.;
nsb5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nse5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nsf5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nsf5DC.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
backup-20070326-064806-686.dll;C:\HJT\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070326-064806-984.dll;C:\HJT\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
backup-20070326-190321-910.dll;C:\HJT\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
A0052179.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Adware.WebHancer;Incurable.Moved.;
A0053224.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Adware.TopSearch;Incurable.Moved.;
A0053226.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Trojan.Virtumod;Deleted.;
A0053227.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Trojan.Virtumod;Deleted.;
A0053241.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370;Trojan.Virtumod;Deleted.;
A0053265.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370;Trojan.Virtumod;Deleted.;
A0055976.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP376;Trojan.Virtumod;Deleted.;
A0056978.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057008.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057009.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057043.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057102.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0058937.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0058946.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.DownLoader.based;Deleted.;
A0059134.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Tool.Prockill;Incurable.Moved.;
A0059230.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0059231.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0061267.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Virtumod;Deleted.;
A0061286.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061287.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Virtumod;Deleted.;
A0061288.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061289.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061290.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Click.2093;Deleted.;
awtqr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mlljh.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vcnfnygn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
awvvt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
hoajyhc.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
jkhfg.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jkkjh.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mbhjayh.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
mllmj.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
odxfrjj.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
qlyaqlna.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
spgupgbc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tbqgwhj.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
tjvypbmj.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
ucoaxpan.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
uxghvqcb.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
vtstq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
vtuts.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wbztyck.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;

Corrine

#26
March 28, 2007, 11:13:32 AM
Wow!  I have been following elsewhere where Dr.Web CureIt has been effective to use when there still appears to be issues.  It certainly seems to have done the job here.  How is your computer now?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Specht15

#27
March 28, 2007, 11:43:51 PM
i think it may actually be better now than before gettin that bad virus. Thank you very much

Corrine

#28
March 29, 2007, 01:32:29 AM
That is good news!!!  :rose:


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages 1 2
User actions