Help I think I have a trojan conhooker virus and I cant get rid of it

sparky322 · Jan 12, 2008

Like the subject says I think I have this virus and I dont know how to get rid of it..Here is my logfile from Hijackthis if anyone can help I would appreciate it Thanks in advance Aaron
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:10 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Java\jre1.6.0\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5734 bytes

Niobis · Jan 12, 2008

Hi sparky322, you are correct. There is malware present, but there are also missing entries in the HijackThis log. Usually, this is a clear sign of Vundo. Let's see if we can make those entries show before we clean anything.

Rename HijackThis.exe to any name of your choice.
Run a new scan and post the fresh log.

sparky322 · Jan 12, 2008

Ok I renamed the file and scanned again and this is what came up...thanks for your help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:23 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Java\jre1.6.0\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5989 bytes

Niobis · Jan 13, 2008

You didn't rename the HijackThis.exe

In bold is what you need to rename:
C:\HijackThis\HijackThis.exe

Please rename that, then run a new scan.

sparky322 · Jan 13, 2008

Ok I am really a novice at this stuff I know just enough to screw everything up and not be able to fix it....I think I renamed it right this time...thanks for your patience

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:05 PM, on 1/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6358 bytes

Niobis · Jan 14, 2008

Ahh yes, there we go. Now they're showing like they should.

Note: you may want to print these instructions for easier reference.

Locate and delete the following:
C:\WINDOWS\System32\rvgkghen.dll

Run a scan with HijackThis and place a check beside the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b

Close all windows except HijackThis, then click "Fix checked".

Go to Start > Run > type services.msc and press Enter.
Locate the following: DomainService
Right-click "DomainService" and select "Properties".
Beside "Startup type" click the drop-down menu and select "Disabled".
Click OK and then close Services.

Open HijackThis.
Click "Main menu".
Click "Open the misc tools section".
Click "Delete an NT Service".
Paste this into the box: DomainService
Click OK.
When prompted to restart, click OK.

After the restart, go here and download CCleaner.
[bold]Note[/bold]: If you do not want Yahoo! Toolbar uncheck the option when installing.
Open CCleaner.
Click Options > Advance > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows except CCleaner.
Click "Cleaner" > "Run Cleaner".
Exit CCleaner.

Then, go here to download the Kaspersky Virus Scanner.
Click "Download now".
After downloading, install.
Click "Next" on every option to accept default settings and click the "Complete" button for a full install.
After installing, you'll be taken to the Update page.
Click "Update now".
After the update, click "Close", then click "Next".
Uncheck "At program startup", then click "Next".
Click "Next" again, and then "Finish" to restart your computer.

After the restart, double-click the "K" icon in your system tray.
Select your C: drive and then click "Scan".
After the scan, click "All reports".
Click the completed scan to highlight it.
Click "Save as" and save the report to your desktop.
Close the Kaspersky Scanner.

Run a new scan with HijackThis to get a fresh log.
Please post the new HijackThis log along with the Kaspersky report.

sparky322 · Jan 14, 2008

I am having a hard time locating that file, I looked under my computer hard drive c, system 32 and its no where to be found in that folder. I tried to do a file search and it came back empty as well. Am I going about deleting this file the wrong way? I will attach another log file for you to view but I believe I still see the file like the last log file....thanks again for your help and patience.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:08 PM, on 1/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6391 bytes

Niobis · Jan 14, 2008

It's most likely hidden, but that's okay. Just continue with the instructions. We'll deal with it after I see the Kaspersky report.

sparky322 · Jan 15, 2008

Ok I followed your instructions and here are the two log files you asked for, thanks again so much for all your help.

Kaspersky Report:
Protection
----------
Total scanned: 240239
Detected: 1
Untreated: 0
Start time: 1/15/2008 5:47:46 PM
Duration: 00:00:01
Finish time: 1/15/2008 5:47:47 PM

Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.fe File: C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX

Events
------
Time Event
---- -----
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{080F1793-0E35-4658-9F04-7B77EE293F02}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{25F128DE-4506-4CA2-8328-E88E923ADDBC}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{32EC4470-E147-415D-A734-EF6D9FD0F847}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{3CF1E794-78E0-485D-B6DE-303E7CC1C3F2}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{4C55F23C-DC30-44BB-81F9-D3F0742B6AF9}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{4FC241E8-226D-4C2B-943B-FDED191A9AF3}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{63F361AF-F466-49EA-AF9E-514C5D4D02EF}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{6714C86A-2AEF-46BF-8666-FB17484B5921}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{7D4746F2-699B-44E5-975F-DAA1172AA61B}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{A5A857F2-4F7E-4758-A87C-B595EB54E8CA}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{AE811B9A-655D-4F75-9906-426361B5626C}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B673F6C3-B537-41B9-81C2-A5BD8F1ABC07}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B6F3A572-F74B-4BF2-90BB-DEA1539ADFB6}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B737C7A8-9779-4ED1-9AEB-AAEF81653981}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{CA4A8D0B-91CB-4CE8-826D-0586C45EF04F}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{CD31413E-F514-48D4-8936-3D8590FB76EA}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{D74EFB1D-6DEA-4699-93DD-7D24AFD5E54E}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{EBBAEB19-3BCD-4576-B87C-A3525A9300FB}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{EBCE40B4-7CDB-46CA-BCBE-6D58ED354832}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/backup.db: is password protected.
1/15/2008 6:46:25 PM File C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fe'.
1/15/2008 6:46:25 PM Security threats have been detected. You are advised to neutralize them immediately.
1/15/2008 6:46:25 PM File C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX: is still infected, postponed.
1/15/2008 6:46:50 PM File c:\program files\norton antivirus\quarantine\517a0ba1//CryptFF//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fe'.
1/15/2008 6:47:29 PM File c:\program files\norton antivirus\quarantine\517a0ba1: deleted.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@2o7[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@advertising[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@edge.ru4[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@fastclick[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@ehg-wachovia.hitbox[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@hitbox[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@realmedia[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@trafficmp[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@tribalfusion[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atwola[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@casalemedia[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@insightexpressai[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@ads.pointroll[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adlegend[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@www.lowermybills[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@partner2profit[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@register[3].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071002022113.zip/owner@register[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071002022113.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@exitexchange[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@interclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@ads.mediamayhemcorp[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@loc1.hitsprocessor[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071222114411.zip/owner@enhance[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071222114411.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adrevolver[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adrevolver[3].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@media.adrevolver[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@specificclick[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mygeek[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@ads.pointroll[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@anad.tacoda[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@atdmt[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@anad.tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@anat.tacoda[1].txt: is password protected.

Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Update completed 1/15/2008 5:45:52 PM 1/15/2008 5:47:10 PM 146.9 KB
Scan completed 1/15/2008 5:47:59 PM 1/15/2008 7:26:15 PM 48.3 MB

Quarantine
----------
Status Object Size Added
------ ------ ---- -----

Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.PurityScan.fe c:\program files\norton antivirus\quarantine\517a0ba1 73.6 KB

Hijack This Log File:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:28 PM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6157 bytes

Niobis · Jan 15, 2008

Alright, HijackThis log is looking better, but a trojan still remains.

Download VundoFix to your desktop.

Double-click VundoFix.exe to run it.
Click "Scan for Vundo".
Once it's done scanning, click "Remove Vundo".
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
VundoFix will create a log at C:\vundofix.txt.

Empty the quarantine for each of the following:
SUPERAntiSpyware
Norton AntiVirus
Yahoo! Anti-Spy

Run a new scan with HijackThis to get a fresh log.
Please post back with the VundoFix log and the new HijackThis log.

-----------------------------------------------------

You have two antivirus programs running. This can cause conflicts and may produce false positives. You need to choose the one you like best (Norton or AVG) and uninstall the other. My recommendation would be to uninstall Norton as it is a heavy resource program. If you choose to uninstall Norton let me know because to fully remove it from your computer you will need to do a few things.

You may also uninstall the Kaspersky Scanner, but if you choose to keep it, fix this entry with HijackThis: (prevents running on startup)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"

sparky322 · Jan 16, 2008

Well its good to hear that we are making progress but still keep getting pop-ups....I had already downloaded the Vundofix last week sometime and ran it, when I ran it today it didn't see any trojans, I deleted all the quarantine from the 3 files you mentioned. Norton didn't have any, yahoo at about 69, and the other one had alot I believe it called it the virus vault not the quarantine so I hope I deleted the right stuff.
I was interested in deleting the norton file so if you could explain how to do that I would appreciate it.

Here is the logfile you asked for not real sure if you want to see the old vundo log or since its clean you want to take another route. Thanks again
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:57 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5953 bytes

Niobis · Jan 16, 2008

You're still getting popups because Vundo is still present. It is in a temp folder so that may be the reason VundoFix cannot see it. Let's try deleting it manually.

Go here and download KillBox to your desktop.

Open Killbox.
Check "Unregister dll Before Deleting"
Next, in the "Full Path of File to Delete" box, copy/paste the following(in bold).
C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
Then, click the red button with a white X.
You will be prompted to confirm, click "Yes".
Close KillBox.

Next, run a scan with HijackThis and check and fix this entry(if there):
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll

Restart your computer.
Run a scan HijackThis to get a fresh log and post it.

As for removing Norton, we will do that once we know your computer is clean. There are also some other updates that need to be installed, but not until the computer is clean of malware.

bluecoal · Jan 16, 2008

It's my understanding that vundofix gets updates, it might be worthwhile to download a fresh copy and try again.

Also, if you right click the white space in the middle of the vundofix screen, you can get to a screen where you can add file paths of files you want to delete, you could try that for your stubborn file too.

sparky322 · Jan 16, 2008

I followed your directions and downloaded the killbox program, it said it was unable to delete the file. I did check the right box like you had instructed, so whats the next step...thanks again for all your time.

sparky322 · Jan 16, 2008

Not sure if it matters but here is the updated logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:24 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {329D4271-49D5-42D0-9D95-5D85A3006782} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5726 bytes

Niobis · Jan 16, 2008

Try deleting it with KillBox in safe mode.
Save those KillBox instructions to Notepad if you need them.
Restart your computer. Before the Windows load screen press F8, select "Safe Mode" from the menu and press Enter.
Then, follow the KillBox instructions.

If KillBox still cannot delete the file, try deleting it with VundoFix manually as bluecoal suggested. Do this in normal mode.

Open VundoFix.
Right-click the white window and select "Add more files?"
Paste this into the first box: C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
Paste this into the second box: utvyb.*
Click the "Add files" button.
Then, click the "Close window" button.
Finally, click "Remove Vundo".

Then, after the restart fix that entry with HijackThis mentioned in my last post.
Run a new scan and post the fresh log.

Edit: if you have to use VundoFix to delete the file, please post the VundoFix log along with your HijackThis log.

sparky322 · Jan 16, 2008

I deleted the file manually using the vundo program and then I fixed it with hijack this here is the logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:22 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\Not Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5605 bytes

Niobis · Jan 16, 2008

Does the VundoFix log report deleting the file?

KotaGuy · Jan 17, 2008

Hey there Niobis.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

Note the space between the "k" and the "."

This Vundo infection is the new thing its been doing... namely infecting files. That qttask .exe is infected. Vundo will have appeneded itself to that file... its probably grown by about 300kb or so from the size it should be.

A ComboFix scan will show it and using CFScript.txt with File::, RenV::, and Registry:: sections you can deal with the rest of the files its dropped and infected.

It typically has a couple new reg entries it loads itself into that need to be turfed as well... particularily the lsa Key which will need to be overwritten with the proper Hex.

Niobis · Jan 17, 2008

Wow, thanks for that KotaGuy. I never would have saw that. Looking into it now.

Log in or Sign up

Help I think I have a trojan conhooker virus and I cant get rid of it

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

bluecoal Guest

sparky322 Member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

KotaGuy Regular member

Niobis Active member

Share This Page

Log in or Sign up

Help I think I have a trojan conhooker virus and I cant get rid of it

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

bluecoal Guest

sparky322 Member

sparky322 Member

Niobis Active member

sparky322 Member

Niobis Active member

KotaGuy Regular member

Niobis Active member

Share This Page

Useful Searches