1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

sysprotect help

Discussion in 'Windows - Virus and spyware problems' started by catebooth, Jun 8, 2007.

  1. catebooth

    catebooth Member

    Joined:
    Jun 8, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    I'm receiving a ton of pop-ups which I now know is in relation to this ad-ware/trojan-type thing. Anyway I know I have to post my hijack log for someone to look at...so here it is and any help at this point would be greatly appreciated. I have trend micro pc-illian and webroot spyware, but I do know that I haven't updated my JAVA. Thanks again for any help as to which files to delete....

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:05:13 PM, on 6/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003
    O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
    O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 9572 bytes
     
  2. bluecoal

    bluecoal Guest

    Hi catebooth


    **)Please download vundofix to your desktop
    http://www.atribune.org/content/view/24/2/

    **) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop for later use.

    **)Get a program called pocket killbox. You can find a download link for it here: http://forum.malwareremoval.com/viewtopic.php?t=320
    After you download the file, also look over the instructions for deleting a file on reboot.

    **) Temporarily disable spysweeper protection in case it interferes with fix efforts. You can scroll down this for instructions:
    http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
    You can reenable these protections when you are done with the fixes.

    **) We need to temporarily have hidden files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You can reverse these steps after the system is cleaned up.

    **) Double-click VundoFix.exe to run it.
    Click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    **) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Select the first 3 temp file lines.
    Select the temporary internet files line.
    Select the prefetch files line.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    **) Please run the ewido/AVG online scan:
    http://www.ewido.net/en/onlinescan/

    **) Open HijackThis and choose "Do a system scan only" then check the box in front of any of these line items that remain:

    O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file)
    O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll
    O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003
    O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files...ntrol_en_US.cab
    O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
    O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll

    Close all programs but HjT and all browser windows, then click on "Fix Checked"

    **) Use the malware removal guide instructions for deleting a file on reboot.
    delete this file:
    C:\WINDOWS\system32\uyirivdn.dll

    Post the Vundofix report, the ewido report, and a new HjT log.

    Thanks.
    bc
     
    Last edited by a moderator: Jun 11, 2007
  3. catebooth

    catebooth Member

    Joined:
    Jun 8, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Thanks so much for your help bluecoal...my computer seems to be working better already. Here are my logs, let me know what you think. I think I should update my JAVA too, right?
    Thanks Again!
    cate

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:39:47 PM, on 6/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing)
    O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 8990 bytes

    Ewido:
    ewido anti-spyware online scanner
    http://www.ewido.net
    __________________________________________________


    Name: TrackingCookie.Doubleclick
    Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@doubleclick[1].txt
    Risk: Medium

    Name: TrackingCookie.2o7
    Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@msnportal.112.2o7[1].txt
    Risk: Medium

    Name: Adware.RogueSuspect
    Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007
    Risk: Medium

    Name: Adware.RogueSuspect
    Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007\Settings
    Risk: Medium

    Name: Not-A-Virus.Downloader.Win32.DigStream
    Path: C:\Program Files\DIGStream\digstream.exe
    Risk: Low

    Name: Not-A-Virus.Downloader.Win32.WinFixer.x
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057624.exe
    Risk: Low

    Name: Adware.Companion
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057671.dll
    Risk: Medium

    Name: Adware.SystemDoctor
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057673.exe
    Risk: Medium

    Name: Not-A-Virus.Downloader.Win32.WinFixer.o
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057677.exe
    Risk: Low

    Name: Adware.Virtumonde
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061468.dll
    Risk: Medium

    Name: Adware.Virtumonde
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061471.dll
    Risk: Medium

    Name: Adware.Virtumonde
    Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061473.dll
    Risk: Medium

    Name: Adware.Virtumonde
    Path: C:\VundoFix Backups\cbxxuvs.dll.bad
    Risk: Medium

    Name: Adware.Virtumonde
    Path: C:\VundoFix Backups\opnmjhg.dll.bad
    Risk: Medium

    Name: Adware.Virtumonde
    Path: C:\VundoFix Backups\tuvvwwu.dll.bad
    Risk: Medium

    Name: Adware.ZenoSearch
    Path: C:\WINDOWS\system32\nwinnndt.exe
    Risk: Medium

    Name: Downloader.VB.awj
    Path: C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe
    Risk: High

    Vundofix:
    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 6:31:54 PM 6/11/2007

    Listing files found while scanning....

    C:\windows\system32\cbxxuvs.dll
    C:\windows\system32\fchyvbyj.dll
    C:\windows\system32\ndviriyu.ini
    C:\windows\system32\opnmjhg.dll
    C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.tmp
    C:\windows\system32\tuvvwwu.dll
    C:\windows\system32\uyirivdn.dll
    C:\WINDOWS\system32\vtsts.dll
    C:\WINDOWS\system32\wbwdmdae.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\cbxxuvs.dll
    C:\windows\system32\cbxxuvs.dll Has been deleted!

    Attempting to delete C:\windows\system32\fchyvbyj.dll
    C:\windows\system32\fchyvbyj.dll Has been deleted!

    Attempting to delete C:\windows\system32\ndviriyu.ini
    C:\windows\system32\ndviriyu.ini Has been deleted!

    Attempting to delete C:\windows\system32\opnmjhg.dll
    C:\windows\system32\opnmjhg.dll Has been deleted!

    Attempting to delete C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.ini2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.tmp
    C:\windows\system32\ststv.tmp Has been deleted!

    Attempting to delete C:\windows\system32\tuvvwwu.dll
    C:\windows\system32\tuvvwwu.dll Has been deleted!

    Attempting to delete C:\windows\system32\uyirivdn.dll
    C:\windows\system32\uyirivdn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vtsts.dll
    C:\WINDOWS\system32\vtsts.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll
    C:\WINDOWS\system32\wbwdmdae.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

     
  4. bluecoal

    bluecoal Guest

    There is still one file hanging on.

    **) Please rename HijackThis.exe to catebooth.exe (or other name of your choice). Some problems are able to hide from HijackThis, and I would like to eliminate that as a consideration here.

    **) Start vundofix.
    Right click on the white space in the middle of the screen.
    Click the add more file button.
    Paste this path into the top line:
    C:\WINDOWS\system32\aahicjdu.dll
    Then click add files and close that window.
    Then click the remove vundo button.
    Let the program run and restart however many times it needs to.

    **) Let the renamed hijackthis fix these lines:
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing)
    O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing)
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
    O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing)

    **) Check your add remove programs for this:
    WinAntiVirus Pro 2007
    and remove if present.

    **) Did you have the ewido scan fix things? If not, you can run it again and have it fix the things it finds, except you can uncheck this one:
    Name: Not-A-Virus.Downloader.Win32.DigStream
    Path: C:\Program Files\DIGStream\digstream.exe
    Risk: Low

    **) As an additional check on things, please run this scanner:
    http://www.kaspersky.com/virusscanner
    It does not have an option to fix anything, it will just give a report.
    It will probably show infected files in vundo backups and system restore files. Those are not a problem because they can be deleted later. We are looking for other infected files.

    **) Please post the vundofix log, the Kaspersky scan log, and the new hijackthis log.

    **) Yes you can update your java and uninstall the old versions.

    bc
     
  5. catebooth

    catebooth Member

    Joined:
    Jun 8, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll"
    There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again.
    The virtumonde continues to be picked up by my spysweeper.
    I did download the latest JAVA.
    Here's my logs....
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:42:38 PM, on 6/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Catie.CATE\Desktop\catebooth.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 8872 bytes

    Wednesday, June 13, 2007 9:08:10 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 14/06/2007
    Kaspersky Anti-Virus database records: 324606


    Scan Settings
    Scan using the following antivirus database standard
    Scan Archives true
    Scan Mail Bases true

    Scan Target Critical Areas
    C:\WINDOWS
    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\

    Scan Statistics
    Total number of scanned objects 15529
    Number of viruses found 0
    Number of infected objects 0
    Number of suspicious objects 0
    Duration of the scan process 00:10:56

    Infected Object Name Virus Name Last Action
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

    C:\WINDOWS\system32\config\default.LOG Object is locked skipped

    C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped

    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

    C:\WINDOWS\system32\config\SAM Object is locked skipped

    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

    C:\WINDOWS\system32\config\software.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

    C:\WINDOWS\system32\config\system.LOG Object is locked skipped

    C:\WINDOWS\system32\h323log.txt Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped

    Scan process completed.

    C:\windows\system32\opnmjhg.dll
    C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.tmp
    C:\windows\system32\tuvvwwu.dll
    C:\windows\system32\uyirivdn.dll
    C:\WINDOWS\system32\vtsts.dll
    C:\WINDOWS\system32\wbwdmdae.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\cbxxuvs.dll
    C:\windows\system32\cbxxuvs.dll Has been deleted!

    Attempting to delete C:\windows\system32\fchyvbyj.dll
    C:\windows\system32\fchyvbyj.dll Has been deleted!

    Attempting to delete C:\windows\system32\ndviriyu.ini
    C:\windows\system32\ndviriyu.ini Has been deleted!

    Attempting to delete C:\windows\system32\opnmjhg.dll
    C:\windows\system32\opnmjhg.dll Has been deleted!

    Attempting to delete C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.ini2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.tmp
    C:\windows\system32\ststv.tmp Has been deleted!

    Attempting to delete C:\windows\system32\tuvvwwu.dll
    C:\windows\system32\tuvvwwu.dll Has been deleted!

    Attempting to delete C:\windows\system32\uyirivdn.dll
    C:\windows\system32\uyirivdn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vtsts.dll
    C:\WINDOWS\system32\vtsts.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll
    C:\WINDOWS\system32\wbwdmdae.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\aahicjdu.dll
    C:\WINDOWS\system32\aahicjdu.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 9:18:52 PM 6/13/2007

    Listing files found while scanning....

    No infected files were found.
     
  6. bluecoal

    bluecoal Guest

    My!

    I have been looking at vundo logs to prepare myself for the next answers to you. Your response was unexpected because it describes situations which I have not seen in other logs/threads. I do not know exactly what to do next. Questions to help in understanding the situation.

    **) Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll"
    This is not a problem with the vundofix.

    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset
    That line in the previous hjt log associates the file with virtumonde.
    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\aahicjdu.dll
    C:\WINDOWS\system32\aahicjdu.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    That portion of the vundofix log indicates that the file has been deleted. The error loading message would indicate that something was still trying to call/load the dll file. Did the error message just happen one time, or does it continue to happen (ie if you shut down your computer now and then restarted it, does it give you that same message about being unable to load the dll file)?

    **)
    There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again.
    Good.

    **)
    I did download the latest JAVA.
    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Scan started at 9:18:52 PM 6/13/2007

    Listing files found while scanning....

    No infected files were found.
    This last section from the vundofix log indicates there are also still old versions of Java on the system.
    Please go to your add/remove programs and look for items with Java Runtime Environment (JRE or J2SE) in the name. Remove the ones related to these two versions: Java version is 1.4.2.3; Java version is 1.5.0.3.

    **)
    The virtumonde continues to be picked up by my spysweeper.

    This creates conflicting information which I do not know how to resolve. The HijackThis log appears to be clean. Vundofix is not finding any new issues. Kaspersky is not finding any vundo files. As I think about that, I am not sure what is going on there, because in previous logs I have worked, Kaspersky would flag the files in the C:\vundofix backup folder until they were deleted.

    Did you rehide system and protected files?
    Had you reenabled spysweeper protection when the last vundofix was run?
    Do the spysweeper error messages give you specific file names and/or file locations that we can work with?

    If spysweeper is seeing infected files that have already been cleaned in the vundofix backup folder or system restore, they are not a problem, because those files can be removed in final cleanup steps. If it is detecting files in Trend Micro’s quarantine folder, the same thing applies, they are cleaned files and can be deleted from the quarantine folder to make the error messages stop. If they are somewhere else, I need some name/location information to try to help you get them off the system.

    bc
     
  7. catebooth

    catebooth Member

    Joined:
    Jun 8, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Sorry, my internet connection has been down...here's the latest I'm getting from my anti-virus, but nothing on spysweeper! What do you think?


    Real-time Scan
    Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

    Infected file: C:\vundofix backups\uyirivdn.dll.bad
    Virus name: TROJ_VUNDO.ATO
    User name: Catie
    Scan action result: Quarantined.
    Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.

    Real-time Scan
    Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

    Infected file: C:\vundofix backups\wbwdmdae.dll.bad
    Virus name: TROJ_VUNDO.AE
    User name: Catie
    Scan action result: Quarantined.
    Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.


    Wednesday, June 13, 2007 9:08:10 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 14/06/2007
    Kaspersky Anti-Virus database records: 324606


    Scan Settings
    Scan using the following antivirus database standard
    Scan Archives true
    Scan Mail Bases true

    Scan Target Critical Areas
    C:\WINDOWS
    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\

    Scan Statistics
    Total number of scanned objects 15529
    Number of viruses found 0
    Number of infected objects 0
    Number of suspicious objects 0
    Duration of the scan process 00:10:56

    Infected Object Name Virus Name Last Action
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

    C:\WINDOWS\system32\config\default.LOG Object is locked skipped

    C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped

    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

    C:\WINDOWS\system32\config\SAM Object is locked skipped

    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

    C:\WINDOWS\system32\config\software.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

    C:\WINDOWS\system32\config\system.LOG Object is locked skipped

    C:\WINDOWS\system32\h323log.txt Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped

    C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped

    Scan process completed.

     
  8. bluecoal

    bluecoal Guest

    Hi,

    Looks to me like the place it is finding things is in the c:\vundofix backup folder. You can delete the contents of that folder now.
     
  9. catebooth

    catebooth Member

    Joined:
    Jun 8, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Thanks, it seems to be working like it's old self again!
    Thanks again for all of you help :)
     
  10. bluecoal

    bluecoal Guest

Share This Page