1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WinAntiVirus Removal Help...VundoFix.exe didn't work

Discussion in 'Windows - Virus and spyware problems' started by nocando07, Jun 14, 2007.

  1. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    My computer is infected with WinAntiVirus and I tried running Vundofix.exe to get rid of it, but I still get pop-ups. Not as much as before, but they're still there. Can anybody please help me?

    Here's my hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:15:06 PM, on 6/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\jfsaqia.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\retadpu77.exe
    C:\WINDOWS\jfsaqiaA.exe
    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\cfg32a.exe
    C:\WINDOWS\retadpu77.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Documents and Settings\Linda\Desktop\HiJackThis_v2.0.0.0.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pfqbhtpn.dll
    O2 - BHO: (no name) - {749FEBCD-663C-40CF-B6C8-65A7186BBF19} - C:\Program Files\Messenger\qubog58441.dll
    O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxxxya.dll (file missing)
    O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
    O2 - BHO: (no name) - {E35FEC99-CBEB-4084-94DF-6DD84C3B7896} - C:\WINDOWS\system32\ssttr.dll (file missing)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [jfsaqiaA] C:\WINDOWS\jfsaqiaA.exe
    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\wrkrhvst.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [RAM Booster Expert] "C:\Program Files\Bodrag\RAM Booster Expert\RAMBooster.exe" /start
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jfsaqia.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xuveneg.html
     
    nocando07, Jun 14, 2007
    #1
  2. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Ok, I ran Ad-aware, Spybot, AVG, and CCleaner. And it still doesn't help much. The pop-ups aren't appearing as often, but they still do every now and then.

    It pops up as:

    File Download - Security Warning
    Do you want to run or save this file?
    Name: WinAntiSpyware2007FreeInstall.exe
    Type: Application, 86.2KB
    From: download.cdn.winsoftware.com

    Along with some other site it's advertising...but I just x out of both.


    Here's the hjt log after running all the programs listed above:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:29:56 PM, on 6/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Documents and Settings\Linda\Desktop\HiJackThis_v2.0.0.0.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pfqbhtpn.dll
    O2 - BHO: (no name) - {749FEBCD-663C-40CF-B6C8-65A7186BBF19} - C:\Program Files\Messenger\qubog58441.dll
    O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxxxya.dll (file missing)
    O2 - BHO: (no name) - {E35FEC99-CBEB-4084-94DF-6DD84C3B7896} - C:\WINDOWS\system32\ssttr.dll (file missing)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\wrkrhvst.dll",realset
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [RAM Booster Expert] "C:\Program Files\Bodrag\RAM Booster Expert\RAMBooster.exe" /start
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xuveneg.html

    --
    End of file - 7795 bytes
     
    Last edited: Jun 14, 2007
    nocando07, Jun 14, 2007
    #2
  3. bluecoal

    bluecoal Guest

    Additional tools and steps that may help improve your situation:

    ~~~~
    There is at least 1 file on your system this tool will clean.

    Download SDFix and save it to your Desktop.
    http://downloads.andymanchesta.com/r...ools/sdfix.zip

    Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop.
    Reboot your computer in Safe Mode.
    Open the extracted SDFix folder and double click RunThis.bat to start the script.
    Type Y to begin the cleanup process.
    It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    Press any Key and it will restart the PC.
    When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    Copy and paste the contents of the results file Report.txt back onto the forum with a new hijackthis log.
    ~~~~
    Uninstall WinAntiSpyware2007
    ~~~~
    Hopefully, this will force delete of one vundo problem file.

    If you are not running vundofix 6.5.0, delete your version and get the current one:
    http://www.atribune.org/content/view/24/2/
    Start vundofix again:
    Scan for vundo.
    Right click white area where files for removal are displayed.
    Answer yes for adding files\
    Paste this file path in the first line
    C:\WINDOWS\system32\wrkrhvst.dll
    Close out of the add files screen.
    Do the remove vundo step.
    Post the vundofix log.
    ~~~~
    Instructions copied from elsewhere for removing a file and running an additional cleanup tool:

    Are you familiar with the following entry:
    O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xuveneg.html

    It corresponds to a Windows Active Desktop Component.

    Active Desktop Components are local or remote html files that are embedded directly onto the Desktop as a background. Some infections use this method to embed messages, pictures, or web pages directly on to a users Desktop.

    If you did not configure the above Active Desktop Component, then remove it as follows:

    Go to Start > Control Panel
    Double-click on the Display icon
    Click on the Desktop tab
    Click on Customize Desktop
    On the new Window, click on the Web tab

    Under the Web pages box, you will see a list of Active Desktop Components. Select:
    xuveneg.html
    Click: Delete

    Press OK to close the screen, then press the Apply > OK to close the Display icon

    If you removed the Active Desktop Component, check box in HijackThis for the O24 entry mentioned above, and then search for and remove the following:
    C:\Program Files\MSN\xuveneg.html

    ~~~~
    Restart the computer

    ~~~~
    Now, download SuperAntiSpyware Home Edition Free Version
    http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
    Install the program

    Run SuperAntiSpyware and click: Check for updates
    Once the update is finished, on the main screen, click: Scan your computer
    Check: Perform Complete Scan
    Click Next to start the scan.

    Superantispyware scans the computer, and when finished, lists all the infections found.
    Make sure everything found has a check next to it, and press: Next
    Click Finish

    It is possible that the program asks to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    Click: Preferences
    Click the Statistics/Logs tab
    Under Scanner Logs, double-click SuperAntiSpyware Scan Log
    It opens in your default text editor (such as Notepad)

    Please provide the information in the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
     
    bluecoal, Jun 15, 2007
    #3
  4. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    I ran VundoFix again and pasted the filepath C:\Windows\system32\wrkrhvst.dll and deleted it, but now every time I turn on my computer it says that the file cannot be found and error running dll. Can you tell me what that file was for?

    Here's the Vundofix log:
    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Scan started at 7:30:32 PM 6/14/2007

    Listing files found while scanning....

    C:\windows\system32\bywflnbm.exe
    C:\windows\system32\byxxxya.dll
    C:\windows\system32\kbdpmaep.dll
    C:\windows\system32\khfeccb.dll
    C:\WINDOWS\system32\rttss.bak1
    C:\WINDOWS\system32\rttss.ini
    C:\WINDOWS\system32\ssttr.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\bywflnbm.exe
    C:\windows\system32\bywflnbm.exe Has been deleted!

    Attempting to delete C:\windows\system32\byxxxya.dll
    C:\windows\system32\byxxxya.dll Has been deleted!

    Attempting to delete C:\windows\system32\kbdpmaep.dll
    C:\windows\system32\kbdpmaep.dll Has been deleted!

    Attempting to delete C:\windows\system32\khfeccb.dll
    C:\windows\system32\khfeccb.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rttss.bak1
    C:\WINDOWS\system32\rttss.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rttss.ini
    C:\WINDOWS\system32\rttss.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ssttr.dll
    C:\WINDOWS\system32\ssttr.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Scan started at 6:07:12 PM 6/15/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\wrkrhvst.dll
    C:\WINDOWS\system32\wrkrhvst.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Scan started at 7:14:30 PM 6/15/2007

    Listing files found while scanning....

    No infected files were found.



    Here's the hjt log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:23:48 PM, on 6/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Linda\Desktop\HiJackThis_v2.0.0.0.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxxxya.dll (file missing)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\wrkrhvst.dll",realset
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    --



    And the SuperAntiSpyware log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/15/2007 at 08:33 PM

    Application Version : 3.8.1002

    Core Rules Database Version : 3255
    Trace Rules Database Version: 1266

    Scan type : Complete Scan
    Total Scan Time : 01:00:20

    Memory items scanned : 490
    Memory threats detected : 1
    Registry items scanned : 7246
    Registry threats detected : 34
    File items scanned : 75294
    File threats detected : 70

    Trojan.Downloader-NewJuan/VM
    C:\WINDOWS\SYSTEM32\PFQBHTPN.DLL
    C:\WINDOWS\SYSTEM32\PFQBHTPN.DLL

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
    HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
    HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32
    HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
    HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{E35FEC99-CBEB-4084-94DF-6DD84C3B7896}
    HKCR\CLSID\{E35FEC99-CBEB-4084-94DF-6DD84C3B7896}
    HKCR\CLSID\{E35FEC99-CBEB-4084-94DF-6DD84C3B7896}\InprocServer32
    HKCR\CLSID\{E35FEC99-CBEB-4084-94DF-6DD84C3B7896}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\SSTTR.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E35FEC99-CBEB-4084-94DF-6DD84C3B7896}

    Trojan.ZQuest
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{749FEBCD-663C-40CF-B6C8-65A7186BBF19}
    HKCR\CLSID\{749FEBCD-663C-40CF-B6C8-65A7186BBF19}
    HKCR\CLSID\{749FEBCD-663C-40CF-B6C8-65A7186BBF19}
    HKCR\CLSID\{749FEBCD-663C-40CF-B6C8-65A7186BBF19}\InProcServer32
    HKCR\CLSID\{749FEBCD-663C-40CF-B6C8-65A7186BBF19}\InProcServer32#ThreadingModel
    C:\PROGRAM FILES\MESSENGER\QUBOG58441.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\Linda\Cookies\linda@adsrevenue[1].txt
    C:\Documents and Settings\Linda\Cookies\linda@revenuesense[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@cts.metricsdirect[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@data1.perf.overture[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@indextools[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@lynxtrack[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@nextag[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@roiservice[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@rotator.adjuggler[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@searchadnetwork[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@www.searchadnetwork[1].txt
    C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[1].txt
    C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[2].txt
    C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mediaplex[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@2o7[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@ad.yieldmanager[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@adinterax[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@ads.addynamix[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@ads.pointroll[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@advertising[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@atdmt[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@bluestreak[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@bs.serving-sys[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@casalemedia[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@citi.bridgetrack[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@doubleclick[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@ehg-airtran.hitbox[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@hitbox[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@media.hotels[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@mediaplex[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@overture[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@questionmarket[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@realmedia[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@roiservice[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@serving-sys[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@statcounter[1].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@tacoda[2].txt
    C:\Documents and Settings\Whoever\Cookies\whoever@tribalfusion[1].txt

    Trojan.Windows Overlay Components/SysMon
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

    Adware.ClickSpring/Outer Info Network
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

    Adware.180solutions/Search Assistant
    C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMP\DEL1FFB.TMP
    C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMP\DEL2.TMP
    C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMP\DEL8.TMP
    C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\TEMP\ZANGO\MESSENGER\BIDULATOR.EXE
    C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\TEMP\ZANGO\MESSENGER\INSTALLERSHELL.EXE
    C:\TEMP\FLEOK\SALM.EXE

    Adware.RAC
    C:\DOCUMENTS AND SETTINGS\LINDA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4XGM2T83\ACDT-PID67N[1].EXE

    Adware.ClickSpring/Yazzle
    C:\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE
    C:\WINDOWS\PREFETCH\YAZZLE1549OINADMIN.EXE-0C086C08.PF
    C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1549.EXE-07517F69.PF

    Adware.WebBuying-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0211851.EXE

    Trojan.Downloader-WebBuying/PopEngine
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0211853.DLL

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0211869.EXE

    Trojan.Downloader-Gen/Blah
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0211896.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0211898.DLL
    C:\VUNDOFIX BACKUPS\BYXXXYA.DLL.BAD
    C:\VUNDOFIX BACKUPS\KHFECCB.DLL.BAD

    Adware.SearchClickAds
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0212489.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0212490.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP771\A0212491.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP772\A0212499.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP772\A0212500.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP772\A0212501.EXE
     
    Last edited: Jun 15, 2007
    nocando07, Jun 15, 2007
    #4
  5. bluecoal

    bluecoal Guest

    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\wrkrhvst.dll",realset

    It goes with that line which is a vundo line. If you are really concerned about, it is in c:vundofix backups, renamed. I would not recommend it, but you can put it back from there if you wish. Or you can also submit it to a virus scanning site for checking.

    Something is still calling it. If you check and fix that o4 line in hijackthis, does the error message go away?
     
    bluecoal, Jun 15, 2007
    #5
  6. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Yea, that did it. The error message didn't come up when I started up the comp this time.
     
    nocando07, Jun 15, 2007
    #6
  7. bluecoal

    bluecoal Guest

    Hi,

    I am sorry, I am going to have to be away for 3-4 days, and I don't have time to do further review and help here right now.


    O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxxxya.dll (file missing)
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag

    These lines still need some research about what to do with them.

    The poolsv particularly. If you can google the link for virustotal or jotti virus scan and scan that file to see if it is infected that would be good. If it turns out to be infected you should delete it and fix the line. I think the other lines need to be deleted.

    If you don't have any other help by then, I will try to do some more research on that stuff for you later next week.

    regards
    bc
     
    bluecoal, Jun 15, 2007
    #7
  8. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Thank you for the help. I scanned it and it was infected so I deleted and fixed it.

    I think the immediate thread is gone, so no rush or anything. You've been a great help already.

    Here's the hjt log after the fix:
    Logfile of HijackThis v1.99.1
    Scan saved at 9:56:43 AM, on 6/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

     
    nocando07, Jun 16, 2007
    #8
  9. bluecoal

    bluecoal Guest

    Hi,

    You can have hijackthis fix this line:
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    THe log looks ok and it looks like superantispyware cleaned up a bunch of stuff.

    How is the computer running now?
     
    bluecoal, Jun 24, 2007
    #9
  10. nocando07

    nocando07 Member

    Joined:
    Jun 14, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Thanks. The computer is working fine now. No more pop-ups or anything.
     
    nocando07, Jun 25, 2007
    #10
  11. bluecoal

    bluecoal Guest

    bluecoal, Jun 26, 2007
    #11

Share This Page