winsinstall.exe removal

All of a sudden my computer has gone hay-wire with constant pop-ups being thrown onto my screen every time I open up fire-fox. I ran avg and it says I have a crap ton of viruses and I am trying to get rid of each and everyone manually. Does anyone know how to get rid of winsinstall(NOT WININSTALL)? I have tried looking online and I think this is the most annoying virus I have on my computer at the moment. Thanks for any help. FYI I would rather not have to install anything new but if it is really going to help I guess I can't help it.

 

Hi corumisri,

In order to cleanup most malware problems and make a final cleaning of the leftovers easier, please do the following pre-clean. It may very well take care of your problems without the need of further cleaning:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.


Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• "Close" the program. Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and before the Windows icon appears press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.


Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.


Scan with Malwarebytes' Anti-Malware as follows:

Double-click and run mbam
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


Reboot to Normal Mode


If you’re still having problems:

Download and install TrendMicro HijackThis.exe (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Please describe those problems as best you can and post the SUPERAntiSpyware Log, Malwarebytes' Anti-Malware Log and a fresh HijackThis Lg in your next reply.


2OG

 

Thanks for the help. I have AVG Internet security (up to date) and am VERY disappointed that is didn't block winsinstall.exe from my computer. Anyway...here are the log files that you requested we post. My Internet Explorer is still locking up but I am going to give it a couple days to see if it is just an internet thing or still something on my computer.

Thanks! khadden

SUPERAntiSpyware Scan Log - 01-11-2009 - 05-15-49.log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2009 at 05:15 AM

Application Version : 4.24.1004

Core Rules Database Version : 3705
Trace Rules Database Version: 1680

Scan type : Complete Scan
Total Scan Time : 01:16:44

Memory items scanned : 219
Memory threats detected : 2
Registry items scanned : 6890
Registry threats detected : 76
File items scanned : 142163
File threats detected : 7

Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\VTUOOHGG.DLL
C:\WINDOWS\SYSTEM32\VTUOOHGG.DLL
C:\WINDOWS\SYSTEM32\WVUMJHYQ.DLL
C:\WINDOWS\SYSTEM32\WVUMJHYQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}\InprocServer32
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtUoOhgg
C:\WINDOWS\SYSTEM32\SSQNOETU.DLL

Adware.Prun-A
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
C:\WINDOWS\SYSTEM32\PRUNNET.EXE
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Rogue.AntiSpywareMaster
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
C:\WINDOWS\SYSTEM32\MCRH.TMP

Rogue.VirusRemover2008
HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\VirusRemover2008
HKLM\Software\VirusRemover2008

Rogue.Component/Trace
HKLM\Software\Microsoft\16781358
HKLM\Software\Microsoft\16781358#16781358
HKLM\Software\Microsoft\16781358#Version
HKLM\Software\Microsoft\16781358#1678bed8
HKLM\Software\Microsoft\16781358#1678d73d
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\CS41275
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\FIAS4018

Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FFKUZ.DLL

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\JKKKEBXV.DLL

mbam-log-2009-01-11 (09-29-02).txt
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2

1/11/2009 9:29:02 AM
mbam-log-2009-01-11 (09-29-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 196790
Time elapsed: 53 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kokhgbys.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rnoavs.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\167801d6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rnoavs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kokhgbys.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sybghkok.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen\Local Settings\Temp\senekaa079.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dammyagn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekagkhroyep.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaixeaswie.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekapsfojwpv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

 

Hi khadden,

Looks like that cleared a lot of problems..
Please post a HJT Log and let me know if you still have problems and what they are?

Download TrendMicro HijackThis.exe (HJT)
• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


2OG

 

Wow that was a quick response! I had already run the other program but didn't post the results so here they are:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:57 AM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\CalendarPal\CalendarPal.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2515.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [CalendarPal] C:\Program Files\CalendarPal\CalendarPal.exe -min
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/luxor_2/mjolauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
O20 - AppInit_DLLs: rnoavs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 9530 bytes

 

khadden,

Sorry to alarm you, but I was setting at the computer when your post came through.. : )

Log looks clean except for one entry, that I cannot find any info on… It’s probably a random file name and I just can’t trust those…

Do the following and let me know if you have any problems and what they are……

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

O20 - AppInit_DLLs: rnoavs.dll

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis


2OG

 

Thanks for your help! I made the change, rebooted and so far so good!

Have a great day!

K

 

Glad I could help.

Any more problems, just give me a shout..

2OG

 

i am having a very similar problem to the one above. Winsinstall got onto my computer somehow. My norton antivirus has been dasabled, IE will not load or by the looks of it attempt to load any websites, my system restore seems to not be working either. i went through the steps above with the virus scans and all but also for some reason some of the virus programs could not check for updates. also my computer is overall running incredibly slower then normal (lagging when typing). After i went through those scans i did run the hijack this and was wondering if anyone could give me some help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:41 PM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O20 - AppInit_DLLs: ikizhs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

--
End of file - 8846 bytes

 

Modzey,


Let’s see what we can do……
Please follow these instructions:

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)

O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe

O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O20 - AppInit_DLLs: ikizhs.dll

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis


Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free

Note: If SAS fails to install try renaming the file to S_A_S.exe and run setup again. If it will not update then you can manually update the definitions.

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.



• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot to Normal Mode

Please post the SUPERAntiSpyware Log and a fresh HijackThis log in your next reply.



2OG

 

it seems like currently getting rid of some of those you pointed out helped. IE still does not work and Norton will not load either.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2009 at 05:24 PM

Application Version : 4.24.1004

Core Rules Database Version : 3706
Trace Rules Database Version: 1681

Scan type : Complete Scan
Total Scan Time : 01:00:13

Memory items scanned : 153
Memory threats detected : 0
Registry items scanned : 6767
Registry threats detected : 35
File items scanned : 23431
File threats detected : 74

Adware.Viewpoint Toolbar
HKLM\Software\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32#ThreadingModel
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\ProgID
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\Programmable
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\TypeLib
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\VersionIndependentProgID
HKCR\ViewBar.ViewBar.1
HKCR\ViewBar.ViewBar.1\CLSID
HKCR\ViewBar.ViewBar
HKCR\ViewBar.ViewBar\CLSID
HKCR\ViewBar.ViewBar\CurVer
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0\win32
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\FLAGS
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\HELPDIR
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
HKU\S-1-5-21-2025429265-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{F8AD5AA5-D966-4667-9DAF-2561D68B2012}

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2025429265-1637723038-725345543-1003\SOFTWARE\FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.searchfeed.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
www.findstuff.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaonenetwork.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
bridge2.admarketplace.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.admarketplace.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
www.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FFKUZ.DLL

also i have one more thing,

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

both those would not remove, or they would but they come right back if i scan a second time.

thanks again for all your help.

 

Also a more interesting problem i am having is i cannot log into any emails. I have an account with excite.com and cannot get past the login phase. it is the same with a school account i have, i know its not the webpage itself because it works on other computers and i have no clue about this one.

 

Modzey,

Using Excite.com may not be a good idea. After a little research, I find:

I haven’t seen the Malware you have since 2005 and can’t remember how I handled it. Give me a break; I’m an Old dude…

I’ll be doing more research but in the meantime please do the following:

Delete Bad Services

Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the quote box into Notepad:

Click on File > Save As....

In the File Name box, copy and paste in fix.bat
In the Save as type box, select All Files from the drop-down list.

Click Save and save it to your Desktop.

Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.




Run Malwarebytes’ AntiMalware

Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


Last run ComboFix

1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt



Please post the MBAM Log, ComboFix Log and a fresh HJT log in your next reply.


Hang in there, we’ll get you cleaned up…………

2OG

 

wow thanks so much for your help. also i got IE to work as well as my logins. It seemed that norton had something to do with alot of the login problems and such. so now i have kaspersky : )

once again thanks for your help.

 

You're welcome. just glad when I can help a little..

2OG

 

ok here are the three logs

MBAM

Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 5.1.2600 Service Pack 2

1/14/2009 2:41:35 PM
mbam-log-2009-01-14 (14-41-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 242942
Time elapsed: 1 hour(s), 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afe35be6-a800-43b0-933c-c7b7a35f4db4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afe35be6-a800-43b0-933c-c7b7a35f4db4} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FDA24120-426D-41B7-B4D1-33793DFE4BF6}\RP5\A0001706.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ikizhs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xghubtyt.dll (Trojan.Vundo) -> Delete on reboot.

----------------------------------------------------------------------

COMBOfix

ComboFix 09-01-13.04 - Kevin 2009-01-14 14:52:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1630 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin\desktop\combofix.exe
Command switches used :: /killall
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\skinboxer43.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HAXDRV
-------\Legacy_NTLOGIN32
-------\Service_haxdrv
-------\Service_ntlogin32
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 23:13 . 2009-01-13 23:13 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2009-01-13 23:13 . 2009-01-13 23:13 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2009-01-13 23:12 . 2009-01-13 23:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2009-01-13 23:12 . 2009-01-14 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-01-13 23:12 . 2009-01-14 14:55 6,583,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2009-01-13 23:12 . 2009-01-14 14:58 376,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2009-01-13 23:12 . 2009-01-14 14:55 52,516 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2009-01-13 23:12 . 2009-01-14 14:58 2,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2009-01-13 23:08 . 2009-01-13 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-11 20:14 . 2009-01-11 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-01-11 19:31 . 2009-01-11 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-09 16:56 . 2009-01-04 18:41 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-01-09 16:56 . 2009-01-04 18:41 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\SUPERAntiSpyware.com
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-09 15:55 . 2009-01-09 16:17 0 --a------ C:\WINDOWS\system32\drivers\93671a7c.sys
2009-01-09 15:54 . 2009-01-14 13:45 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\cogad
2009-01-07 22:13 . 2009-01-07 22:13 <DIR> d-------- C:\Program Files\Total Video Converter
2009-01-07 21:48 . 2009-01-07 21:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2009-01-07 21:48 . 2009-01-07 21:48 1,409 --a------ C:\WINDOWS\QTFont.for
2009-01-07 21:41 . 2009-01-07 21:41 <DIR> d-------- C:\Program Files\FLV Player
2009-01-06 00:36 . 2009-01-06 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2C52
2009-01-04 23:20 . 2009-01-04 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\92E
2009-01-04 23:19 . 2009-01-04 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F138
2008-12-25 00:50 . 2008-12-25 00:50 <DIR> d-------- C:\Program Files\Lead Pursuit
2008-12-25 00:33 . 2008-12-25 00:33 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\ATI
2008-12-25 00:33 . 2008-12-25 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-12-25 00:32 . 2008-12-25 00:32 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-12-25 00:08 . 2008-12-25 00:08 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-12-25 00:07 . 2008-01-09 21:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-12-25 00:07 . 2008-01-09 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-12-25 00:07 . 2008-01-09 22:07 368,640 -ra------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-12-25 00:07 . 2008-01-09 21:58 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-12-25 00:07 . 2007-11-20 03:23 11,874 -ra------ C:\WINDOWS\atiogl.xml
2008-12-25 00:07 . 2007-08-31 09:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-12-25 00:06 . 2008-01-09 21:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-12-25 00:06 . 2008-01-09 21:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-12-25 00:06 . 2008-01-07 09:43 165,782 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-12-25 00:04 . 2008-12-25 00:18 <DIR> d-------- C:\Program Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 04:20 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2009-01-14 04:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-01-14 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-14 03:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-01-09 21:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-01-09 21:48 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Registry Booster
2009-01-05 04:24 --------- d-----w C:\Program Files\BearShare
2008-12-25 05:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-24 06:42 --------- d-----w C:\Program Files\LIVEUPDATE
2008-12-20 16:31 37,510 ----a-w C:\Documents and Settings\Kevin\Application Data\wklnhst.dat
2008-12-04 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\1064
2008-12-04 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\E1BC
2008-12-04 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\C1BC
2008-11-30 21:15 --------- d-----w C:\Program Files\Netflix
2008-11-26 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-11-25 06:54 --------- d-----w C:\Program Files\BearShare Applications
2008-11-25 06:44 --------- d-----w C:\Program Files\PartyGaming
2008-11-25 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\43B9
2008-11-24 20:27 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-11-23 18:51 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
2008-11-23 18:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-11-01 22:57 1,594,541 ----a-w C:\WINDOWS\WANEUninstaller.exe
2008-09-16 18:10 65,976 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2008-12-20 06:29 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-20 06:29 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-20 06:29 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-20 06:29 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-20 06:29 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2006-02-21 04:02 2 --shatr C:\WINDOWS\winstart.bat
.

----------------------------------------------------------------------



HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08, on 2009-01-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

--
End of file - 5574 bytes

 

Hey guys.

I'm also having the same problem. I was wondering if you could help me out as well.

I've already downloaded the 3 pieces of software you suggested. I am currently in safe mode and ran ATF Cleaner and I am in the process of running SUPERantispyware Free. I will run Mbam after that and post the resutls.

Any help will be greatly appreciated.

Thanks

 

@jdmorris1, post your logs and I’ll look them over.


Modzey,

Your Logs look good now, are you having any problems???

The only thing I see; is that your Java is way out of date…..

Java Runtime can be activated by websites, so if there is security vulnerability in any Java version on your machine, it can be exploited by a malicious site to infect your machine. Each new version of Java fixes security vulnerabilities, so it's extremely important to keep up to date, and it's auto-update mechanism isn't considered very reliable. So yes, it's important to regularly check for updates and if you don't use it, then its best removed from your machine.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.


Remove Old Java using JavaRa


Download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
• Double-click on JavaRa.exe to start the program
• From the drop-down menu, choose English and click on Select
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK
• A logfile will pop up. Save it to a convenient location
• Click on Additional Tasks then tick Remove Useless JRE Files
• Click Go then OK when prompted & close the program.

Update Java Runtime
• Go to http://java.sun.com/javase/downloads/index.jsp
• Scroll down to Java Runtime Environment (JRE) 6 Update 11 and click on the Download button
• In the Platform box choose Windows
• Check the box to Accept License Agreement and click Continue
• Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop
• Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions
• Reboot your computer

2OG

 

hiya guys, i managed to get this virus last night too *angry face* so will be posting a thread for much needed help. My pc blue screened before i could do anything which sucked then i went to bed and gave up.

 

tried all of the above, here are my logs mate. Havent removed anything from HJT so advise would be appreciated.

Chris

--


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2009 at 04:35 PM

Application Version : 4.24.1004

Core Rules Database Version : 3710
Trace Rules Database Version: 1685

Scan type : Complete Scan
Total Scan Time : 00:40:33

Memory items scanned : 149
Memory threats detected : 1
Registry items scanned : 7463
Registry threats detected : 23
File items scanned : 29393
File threats detected : 11

Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\JKKJCCST.DLL
C:\WINDOWS\SYSTEM32\JKKJCCST.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkJcCst
C:\WINDOWS\SYSTEM32\PMNKLDSS.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Trojan.Dropper/Sys-NV
HKLM\System\ControlSet001\Services\aylnlfdx
C:\WINDOWS\SYSTEM32\DRIVERS\PHQGHUME.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_aylnlfdx
HKLM\System\ControlSet003\Services\aylnlfdx
HKLM\System\ControlSet003\Enum\Root\LEGACY_aylnlfdx
HKLM\System\CurrentControlSet\Services\aylnlfdx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_aylnlfdx

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP

Rogue.Component/Trace
HKLM\Software\Microsoft\14B0B47D
HKLM\Software\Microsoft\14B0B47D#14b0b47d
HKLM\Software\Microsoft\14B0B47D#Version
HKU\S-1-5-21-1659004503-2049760794-839522115-1003\Software\Microsoft\CS41275

Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\BEARSHARE.LNK
C:\DOCUMENTS AND SETTINGS\RECON\DESKTOP\PROGRAMS\BEARSHARE.LNK

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\PMNOGWOE.DLL

Rootkit.SENEKA-Trace
C:\WINDOWS\SYSTEM32\SENEKA.DAT
C:\WINDOWS\SYSTEM32\SENEKADF.DAT
C:\WINDOWS\SYSTEM32\SENEKALOG.DAT
C:\WINDOWS\SYSTEM32\SENEKAPAFKKDAC.DLL


--


Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

15/01/2009 18:03:59
mbam-log-2009-01-15 (18-03-59).txt

Scan type: Full Scan (C:\|D:\|Z:\|)
Objects scanned: 210503
Time elapsed: 1 hour(s), 17 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ede7658-d3b6-40e1-8360-cdf6c880ffab} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3ede7658-d3b6-40e1-8360-cdf6c880ffab} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pmnkLDsS.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\RecoN\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\RecoN\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\RecoN\Local Settings\Temp\senekab6b6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\My Completed Downloads\TB.Christmas.Presents.Dec.10th.2008\Ahead.Nero.LiTE.Multilanguage.v8.3.6.0.Incl.Keymaker-EMBRACE\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\jycwaivz.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\wywlbuef.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaulalpxne.sys (Trojan.Agent) -> Quarantined and deleted successfully.


---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:04, on 15/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230315314078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230315308843
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7385 bytes