32 replies to this topic

[jmoskus]

Looking for help. I had Norton Antivirus and it told me I was infected with the Trojan Vundo. I couldn't remove it with that program, nor manually (usually I can get rid of it in safe mode, if Norton antivirus can't do it), nor with Symantec's special Vundo removal tool (it didnt find Vundo). I also ran ad-aware and spybot, neither of those found it either. Meanwhile the stupid trojan has messed up my computer. I did download hijack this, and was hoping to get some help. If anyone can help me from here, I'll be eternally grateful.

[Piatan]

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic .

Please use the Post Reply feature, so I will be notified.

Please tell us as much as possible, concerning the problem.

Please do not edit your Hijack This log in any way. We need to see the entire logfile, with no revisions.

[jmoskus]

Thank you soo much for responding. Here's my log. I had read the postings advising that there could be a wait for a reply so I wasn't expecting a response immediately. Here's my log file:


Logfile of HijackThis v1.99.1
Scan saved at 2:40:39 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\CDProxyServ.exe
C:\WINNT\SmFjcXVlbGluZSBNb3NrdXM\command.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\cckzrmc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\SM1BG.EXE
E:\Program Files\Pop-Up Stopper\dpps2.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\APD123.exe
C:\WINNT\system32\Bocof449.exe
C:\winnt\system32\rrdsregm.exe
C:\WINNT\system32\lwinssaw.exe
C:\Program Files\snss\snss.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\cckzrmcA.exe
C:\WINNT\system32\igps.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Network\network.exe
C:\WINNT\system32\F2EFF2F0F6F3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sf\sf.exe
C:\WINNT\nwf.exe
C:\Program Files\CMMan\CMMan.exe
C:\PROGRA~1\COMMON~1\rruk\rrukm.exe
C:\Program Files\FCHelp\FCHelp.exe
C:\WINNT\system32\pgws.exe
C:\PROGRA~1\COMMON~1\rruk\rruka.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINNT\newfrn.exe
C:\Program Files\Internet Optimizer\actalert.exe
c:\Program Files\Aoykucb\Gadqgi.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{61456A89-4E36-8DD2-9286-F7BD0F127EF4} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\pmkhh.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {03EF7078-79ED-3F41-397E-40A4FB2F5CB9} - C:\WINNT\Ljbmrwvn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24ED0EBD-E708-E488-2751-B6CE6AECB89B} - C:\WINNT\System32\hitze.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\System32\nshF5.dll (file missing)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINNT\DH.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINNT\System32\irasprag.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINNT\System32\vturo.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINNT\DH.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Search - {9BA78762-1919-F92F-67E0-543EE4717D41} - C:\WINNT\Ljbmrwvn.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [stpreez] C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickZip] C:\WINNT\System32\ls.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "E:\Program Files\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\VhkQi.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APD123] C:\WINNT\System32\APD123.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kypcar.exe reg_run
O4 - HKLM\..\Run: [e6ba63288537] C:\WINNT\system32\Bocof449.exe
O4 - HKLM\..\Run: [{C4-49-96-69-ZN}] C:\winnt\system32\rrdsregm.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinssaw.exe CORN001
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [cckzrmcA] C:\WINNT\cckzrmcA.exe
O4 - HKLM\..\Run: [lspins] "C:\WINNT\system32\igps.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [3E3B3E3C423F48] F2EFF2F0F6F3.exe
O4 - HKLM\..\Run: [Uztnr] c:\Program Files\Aoykucb\Gadqgi.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINNT\newfrn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CasStub] C:\Program Files\CasStub\casstub.exe -run
O4 - HKCU\..\Run: [irassync] C:\WINNT\System32\irasyncd.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [nwf] C:\WINNT\nwf.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [rruk] C:\PROGRA~1\COMMON~1\rruk\rrukm.exe
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinssaw.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: ipoj.exe
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\randomdocuments\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING48.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105497821953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC9FC25-E3B6-466E-B9E8-EDDFF07760AF}: NameServer = 151.164.1.8,206.13.28.12
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - AppInit_DLLs: dhcclpgd.dll
O20 - Winlogon Notify: pmkhh - C:\WINNT\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmFjcXVlbGluZSBNb3NrdXM\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\cckzrmc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

[Piatan]

Hi jmoskus

You might want to copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Please read all this text carefully, before proceeding.

Please continue with this fix in the order given. If you have any questions, please ask before proceeding.

It has been a very long time since I've seen as much Malware as is on your PC. So, in order to save us both a lot of problems, lets run some programs designed to remove some of them, before we begin removing them by hand.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.
Then, please reboot.

Next:
Please install, update, then configure Ad-Aware SE to the following directions. Run it and let it remove anything it asks about.
Install and how to use Ad-aware SE
http://www.bleepingc...showtutorial=48

Then, please reboot again.

Next:

Microsoft Anti-Spyware (Beta)

Please go here to download and follow all instructions.
http://www.microsoft...&displaylang=en

Next:

Please download, install, update and scan your system with the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
• If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file.
  Please save the Ewido report, to be posted here later.
  
  If you are having problems with the updater, you can use this link to manually update Ewido.
  Ewido manual updates
  
  Next:
  Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....
    
    

  • At this point press enter one time.
  • Next you will see:
    

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):[list]C:\WINNT\System32\vturo.dll
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\System32\orutv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED
  
  
  O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINNT\System32\vturo.dll
  O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll
  
  Click on Fix Checked when finished.
  
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Please use the Post Reply feature to reply, so I will be notified.

Note: Please do not change anything in the new log, as we need to see the entire log, without revisions.

[jbal]

Hope this gets to Piatan. Having trouble with my original user name and password and the password reset is not working. Using my other email address. I got through the instuctions except I can't run safe mode. What happens is the computer screen is black, it does read safe mode, but nothing else appears, no icons no start bar, nada. There is a brief flash of a message before we hit black screen that gives the option of checking yes to continue in safe mode. However, the message dissapears before you click yes or no. Can you help with this obstacle? Thanks, Jmoskus

[Piatan]

After booting in "safe mode", push these three keys at the same time: <Ctrl><Alt><Del> The task manager appears on the screen. Click on the Applications tab, then click New task. Then click on Browse. You can then go to the Program needed. Hope that does the job for you. If not, post back here and we will try to figure it out.

[jmoskus]

ActiveScan Log: Incident Status Location Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\pmkhh.dll Adware:adware/dyfuca Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\cfout.txt Adware:adware/kingporn Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll Adware:adware/iedriver Not disinfected C:\WINNT\SYSTEM32\Searchx.htm Adware:adware/lop Not disinfected C:\Documents and Settings\Owner\Favorites\ Antivirus.url Adware:adware/ieplugin Not disinfected C:\WINNT\kwv2.dat Dialer:dialer.su Not disinfected C:\WINNT\run.cxq Spyware:spyware/betterinet Not disinfected C:\WINNT\INF\biini.inf Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL Adware:adware/quicksearch Not disinfected C:\PROGRAM FILES\QuickSearch Adware:adware/searchforit Not disinfected C:\PROGRAM FILES\sf Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\InetGet Potentially unwanted tool:application/myway Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MY WAY SPEEDBAR UNINSTALL Spyware:spyware/searchcentrix Not disinfected Windows Registry Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@admotion.com[2].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as1.falkag[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ask[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[1].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[2].txt Spyware:Cookie/Allthatsearch Not disinfected C:\Documents and Settings\Owner\Cookies\owner@BigBlue[1].txt Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[1].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@desktop.kazaa[1].txt Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt Spyware:Cookie/VirtualBouncer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@install.spywarelabs[1].txt Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kount[1].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qsrch[2].txt Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Cookies\owner@seeq[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tucows[1].txt Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@versiontracker[2].txt Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\owner@webpower[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[2].txt Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.ademails[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[1].txt Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.buzztone[1].txt Spyware:Cookie/Maxifiles Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.maxifiles[1].txt Spyware:Cookie/Mp3s Hits Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.mp3shits[2].txt Spyware:Cookie/MyWay Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.xzoomy[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.advertising.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.2o7.net/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.clickbank.net/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.versiontracker.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.terra.com.br/] Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[rightmedia.net/] Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.ask.com/] Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.target.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38jcwwev.Default User\cookies.txt[.maxserving.com/] Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38jcwwev.Default User\cookies.txt[.target.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38jcwwev.Default User\cookies.txt[.bravenet.com/] Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Bagel Boy\Cookies\bagel boy@desktop.kazaa[1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Bagel Boy\Cookies\bagel boy@rn11[1].txt Spyware:Cookie/Eyeblaster Not disinfected C:\Documents and Settings\Bagel Boy\Cookies\bagel boy@www.eyeblaster-bs[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bagel Boy\Cookies\bagel boy@zedo[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\31m4yp4a.default\cookies.txt[] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38jcwwev.Default User\cookies.txt[] Adware:Adware/Lop Not disinfected C:\Documents and Settings\Owner\Application Data\oaxyhlyglw.lib Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@admotion.com[2].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as1.falkag[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ask[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[1].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[2].txt Spyware:Cookie/Allthatsearch Not disinfected C:\Documents and Settings\Owner\Cookies\owner@BigBlue[1].txt Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[1].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@desktop.kazaa[1].txt Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt Spyware:Cookie/VirtualBouncer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@install.spywarelabs[1].txt Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kount[1].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qsrch[2].txt Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Cookies\owner@seeq[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tucows[1].txt Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@versiontracker[2].txt Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\owner@webpower[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[2].txt Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.ademails[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[1].txt Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.buzztone[1].txt Spyware:Cookie/Maxifiles Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.maxifiles[1].txt Spyware:Cookie/Mp3s Hits Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.mp3shits[2].txt Spyware:Cookie/MyWay Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.xzoomy[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\VundoFix\process.exe Spyware:Cookie/Sandboxer Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@0[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[3].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ask[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ath.belnk[2].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@banner[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@clickbank[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[1].txt Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@peel[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@rn11[2].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@yadro[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@zedo[1].txt Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll Adware:Adware/Alexa-Toolbar Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe Adware:Adware/Alexa-Toolbar Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LQZ01M3\Nat2[1].exe Adware:Adware/Favadd Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CD2309EJ\opmrket[1].exe Dialer:Dialer.SU Not disinfected C:\WINNT\run.cxq Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\pmkhh.dll Dialer:Dialer.BLZ Not disinfected C:\WINNT\system32\ru.exe Virus:Trj/Bedily.A Disinfected E:\Program Files\Antispyware\Quarantine\BCEE711E-EE90-4298-BB5E-2F04E9\12E7C998-17FD-4910-BCB6-09F4EF

[Piatan]

Hi jmoskus;

Please run Hijack This again. Then, copy and paste a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.


Please use the Post Reply feature to reply, so I will be notified.

[jmoskus]

Okay, here's the other two:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\System32\vturo.dll

The second filepath entered was C:\WINNT\System32\orutv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 176 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 252 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\System32\vturo.dll Deleted sucessfully.
C:\WINNT\System32\orutv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

And-Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:38:54 AM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\CDProxyServ.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\SM1BG.EXE
E:\Program Files\Pop-Up Stopper\dpps2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\lwinssaw.exe
C:\Program Files\snss\snss.exe
C:\Program Files\Network\network.exe
E:\Program Files\Antispyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sf\sf.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\FCHelp\FCHelp.exe
E:\Program Files\Antispyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{61456A89-4E36-8DD2-9286-F7BD0F127EF4} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\pmkhh.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {03EF7078-79ED-3F41-397E-40A4FB2F5CB9} - C:\WINNT\Ljbmrwvn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24ED0EBD-E708-E488-2751-B6CE6AECB89B} - C:\WINNT\System32\hitze.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - (no file)
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINNT\System32\vturo.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Search - {9BA78762-1919-F92F-67E0-543EE4717D41} - C:\WINNT\Ljbmrwvn.dll (file missing)
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [stpreez] C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickZip] C:\WINNT\System32\ls.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "E:\Program Files\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\VhkQi.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinssaw.exe CORN001
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [Uztnr] C:\Program Files\Aoykucb\Gadqgi.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Antispyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [irassync] C:\WINNT\System32\irasyncd.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [nwf] C:\WINNT\nwf.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinssaw.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\randomdocuments\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105497821953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC9FC25-E3B6-466E-B9E8-EDDFF07760AF}: NameServer = 151.164.1.8,206.13.28.12
O20 - AppInit_DLLs: dhcclpgd.dll
O20 - Winlogon Notify: pmkhh - C:\WINNT\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmFjcXVlbGluZSBNb3NrdXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\cckzrmc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

[Piatan]

Hi jmoskus

Looks like we are going to have to step it up a bit. The Malware in your PC is outrunning us. Please read this text thouroughly, before beginning and follow all directions in the order given. You also may want to download all the programs that will be used at this time, to avoid having to stop to do so while working.

You will want to print this, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.
Then, please reboot.

Next:
You have the Peper trojan.

Download the Peperfix Tool and save it to your Desktop.

Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

Next:
Microsoft Anti-Spyware (Beta) If you already have this available, update and then run it. There is no need to download it again.

Please go here to download and follow all instructions.
http://www.microsoft...&displaylang=en

Next:
Please install, update, then configure Ad-Aware SE to the following directions. If you already have Ad-Aware SE, be sure to first update it , then run it and let it remove anything it asks about.
Install and how to use Ad-aware SE
http://www.bleepingc...showtutorial=48

Next:
Please download, install, update and scan your system with the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
• If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file.
  Please save the Ewido report, to be posted here later.
  
  If you are having problems with the updater, you can use this link to manually update Ewido.
  Ewido manual updates
  
  
  Next:
  We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
  
  Open Microsoft AntiSpyware.
  Click on Tools, Settings.
  In the left pane, click on Real-time Protection.
  Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
  After all of the fixes are complete it is very important that you enable Real-time Protection again.
  
  Next:
  Please set your system to show
  all files; please see here if you're unsure how to do this.
  
  Next:
  Please download VundoFix.exe to your desktop.[list]
• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):[list]C:\WINNT\system32\pmkhh.dll

[*]Press Enter to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\system32\hhkmp.*
[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{61456A89-4E36-8DD2-9286-F7BD0F127EF4} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\pmkhh.dll
O2 - BHO: (no name) - {03EF7078-79ED-3F41-397E-40A4FB2F5CB9} - C:\WINNT\Ljbmrwvn.dll (file missing)
O2 - BHO: (no name) - {24ED0EBD-E708-E488-2751-B6CE6AECB89B} - C:\WINNT\System32\hitze.dll (file missing)
O2 - BHO: (no name) - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - (no file)
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINNT\System32\vturo.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: Search - {9BA78762-1919-F92F-67E0-543EE4717D41} - C:\WINNT\Ljbmrwvn.dll (file missing)
O4 - HKLM\..\Run: [stpreez] C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT
O4 - HKLM\..\Run: [QuickZip] C:\WINNT\System32\ls.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [Uztnr] C:\Program Files\Aoykucb\Gadqgi.exe
O4 - HKCU\..\Run: [irassync] C:\WINNT\System32\irasyncd.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [nwf] C:\WINNT\nwf.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinssaw.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O20 - AppInit_DLLs: dhcclpgd.dll
O20 - Winlogon Notify: pmkhh - C:\WINNT\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmFjcXVlbGluZSBNb3NrdXM\command.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\cckzrmc.exe (file missing)

The following are recommended fixes:
Unless you know and trust the following entries, they too can be fixed with Hijack This.

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinssaw.exe CORN001
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Click on Fix Checked when finished.

[*]After you have fixed these items, close Hijackthis.
[*]Press enter to exit the program then manually reboot your computer.
[*]Once your machine reboots please continue with the instructions below.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders shown DARK and delete them, if still there.

C:\WINNT\nwf.exe
C:\WINNT\Ljbmrwvn.dll
C:\WINNT\SmFjcXVlbGluZSBNb3NrdXM\command.exe

C:\WINNT\System32\ls.exe
C:\WINNT\System32\hitze.dll
C:\WINNT\System32\vturo.dll
C:\WINNT\System32\irasyncd.exe
C:\WINNT\system32\lwinssaw.exe
C:\WINNT\system32\dwdsregt.exe
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe

C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT

Please Note: The following are all Programs, so must also be Uninstalled/Removed in Add/Remove Programs.

C:\Program Files\snss\snss.exe
C:\Program Files\Network\network.exe
C:\Program Files\Aoykucb\Gadqgi.exe
C:\Program Files\sder\dees.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\Program Files\sf\sf.exe
C:\Program Files\CMMan\CMMan.exe
C:\Program Files\FCHelp\FCHelp.exe

Next:
Please reboot into normal mode and enable hidden files.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Please use the Post Reply feature to reply, so I will be notified.

[jmoskus]

Here they are and thanks for spending so much of your time on this!

ActiveScan
Incident Status Location

Adware:adware/dyfuca Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\cfout.txt
Adware:adware/iedriver Not disinfected C:\WINNT\SYSTEM32\Searchx.htm
Adware:adware/lop Not disinfected C:\Documents and Settings\Owner\Favorites\ Antivirus.url
Adware:adware/ieplugin Not disinfected C:\WINNT\kwv2.dat
Dialer:dialer.su Not disinfected C:\WINNT\run.cxq
Spyware:spyware/betterinet Not disinfected C:\WINNT\INF\biini.inf
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Adware:adware/quicksearch Not disinfected C:\PROGRAM FILES\QuickSearch
Adware:adware/searchforit Not disinfected C:\PROGRAM FILES\sf
Potentially unwanted tool:application/myway Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MY WAY SPEEDBAR UNINSTALL
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@admotion.com[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[2].txt
Spyware:Cookie/Allthatsearch Not disinfected C:\Documents and Settings\Owner\Cookies\owner@BigBlue[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Owner\Cookies\owner@desktop.kazaa[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt

Logfile of HijackThis v1.99.1
Scan saved at 11:14:15 AM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\CDProxyServ.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\SM1BG.EXE
E:\Program Files\Pop-Up Stopper\dpps2.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Antispyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Antispyware\gcasServ.exe
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{61456A89-4E36-8DD2-9286-F7BD0F127EF4} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\pmkhh.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {03EF7078-79ED-3F41-397E-40A4FB2F5CB9} - C:\WINNT\Ljbmrwvn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24ED0EBD-E708-E488-2751-B6CE6AECB89B} - C:\WINNT\System32\hitze.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Search - {9BA78762-1919-F92F-67E0-543EE4717D41} - C:\WINNT\Ljbmrwvn.dll (file missing)
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [stpreez] C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickZip] C:\WINNT\System32\ls.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "E:\Program Files\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\VhkQi.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [Uztnr] C:\Program Files\Aoykucb\Gadqgi.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Antispyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [nwf] C:\WINNT\nwf.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: Zeno.lnk = C:\RECYCLER\S-1-5-21-2221179514-3813086739-568186159-1003\Dc3.qfx
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\randomdocuments\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105497821953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC9FC25-E3B6-466E-B9E8-EDDFF07760AF}: NameServer = 151.164.1.8,206.13.28.12
O20 - AppInit_DLLs: dhcclpgd.dll
O20 - Winlogon Notify: pmkhh - pmkhh.dll (file missing)
O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\cckzrmc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\system32\pmkhh.dll

The second filepath entered was C:\WINNT\system32\hhkmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 176 'smss.exe'

Killing PID 784 'explorer.exe'
Killing PID 784 'explorer.exe'
Killing PID 784 'explorer.exe'


Killing PID 252 'winlogon.exe'
Killing PID 252 'winlogon.exe'
Killing PID 252 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\system32\pmkhh.dll Deleted sucessfully.
C:\WINNT\system32\hhkmp.* Deleted sucessfully.

Fixing Registry
------------------------------------------------------------

[Piatan]

Hi jmoskus,

Please copy and paste this text into a Notepad file and place it on your desktop, to review as you work. You may prefer to print it instead. If there is anything you do not understand, please ask before continuing. Please read this entire text before beginning.


Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Then, please reboot into Normal Mode.

Next:

You are infected with the peper trojan. This fix only works if the uninstaller is ran twice. First, go offline, close all Programs and Windows. Run this uninstaller, reboot when finished, then run it again and reboot again. This tool must be ran twice, with a reboot in between and another reboot after.

Peper fix:
download and run this for the peper trojan.......

http://www.memorywat....com/uninst.exe


Next:
Please set your system to show
all files; please see here if you're unsure how to do this.

Next:
Reboot into Safe Mode. see here if you are not sure how to do this.

Go to Control Panel-->Add/Remove Programs and Uninstall/Remove......
Real\Toolbar
snss
Network\network.exe
Aoykucb\Gadqgi.exe
sder\dees.exe
Spyware Cleaner\SpywareCleaner.Exe
sf\sf.exe
CMMan\CMMan.exe
FCHelp\FCHelp.exe

Then, please reboot into Normal Mode.

Next:
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Close all Windows and browsers,leaving only HijackThis running.
Place a check against each of the following.:

R3 - URLSearchHook: (no name) - _{61456A89-4E36-8DD2-9286-F7BD0F127EF4} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {03EF7078-79ED-3F41-397E-40A4FB2F5CB9} - C:\WINNT\Ljbmrwvn.dll (file missing)
O2 - BHO: (no name) - {24ED0EBD-E708-E488-2751-B6CE6AECB89B} - C:\WINNT\System32\hitze.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Search - {9BA78762-1919-F92F-67E0-543EE4717D41} - C:\WINNT\Ljbmrwvn.dll (file missing)
O4 - HKLM\..\Run: [stpreez] C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT
O4 - HKLM\..\Run: [QuickZip] C:\WINNT\System32\ls.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [Uztnr] C:\Program Files\Aoykucb\Gadqgi.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [nwf] C:\WINNT\nwf.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: Zeno.lnk = C:\RECYCLER\S-1-5-21-2221179514-3813086739-568186159-1003\Dc3.qfx
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O20 - AppInit_DLLs: dhcclpgd.dll
O20 - Winlogon Notify: pmkhh - pmkhh.dll (file missing)
O20 - Winlogon Notify: vturo - C:\WINNT\System32\vturo.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\cckzrmc.exe (file missing)

Click on Fix Checked when finished.

Reboot into Safe Mode. see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them, if still there.

C:\WINNT\nwf.exe

C:\WINNT\system32\dwdsregt.exe
C:\WINNT\System32\ls.exe

C:\DOCUME~1\Owner\APPLIC~1\grpefrws.exe -QuieT

C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
C:\Program Files\snss\snss.exe
C:\Program Files\Network\network.exe
C:\Program Files\Aoykucb\Gadqgi.exe
C:\Program Files\sder\dees.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\Program Files\sf\sf.exe
C:\Program Files\CMMan\CMMan.exe
C:\Program Files\FCHelp\FCHelp.exe
If you were unable to delete any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

Example:
The entire line(s) must be entered into Killbox. As shown here.
C:\Program Files\FCHelp\FCHelp.exe

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Reboot , enable hidden files and post a fresh Hijack This log in this topic.

Please use the Post Reply feature to reply, so I will be notified.

Edited by Piatan, 07 January 2006 - 04:36 PM.

[jmoskus]

Hi, so a couple of things I wasn't sure about. The peper fix program just listed installing files, didn't create a logfile, or say it detected or deledted anything;that might be normal for that program, but wanted to make sure. Also, in the beginning instructions you asked me to use the add/remove programs to uninstall programs beginning with Real\Toolbar. These programs didnt show up in the add/remove programs window, but I was able to find and delete all but 2 manually. Last, I got an error message from hijack this regarding the fix on 020-AppInit... Here's the Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:27:21 AM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\CDProxyServ.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\SM1BG.EXE
E:\Program Files\Pop-Up Stopper\dpps2.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Antispyware\gcasDtServ.exe
E:\Program Files\Antispyware\gcasServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "E:\Program Files\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\VhkQi.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Antispyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\randomdocuments\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105497821953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC9FC25-E3B6-466E-B9E8-EDDFF07760AF}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

Thanks, J Moskus

[Piatan]

Hi jmoskus

Looks like Peper is still with us.

Please download PeperFix from here:
http://downloads.sub...rg/PeperFix.exe
Save it to the desktop and run it. Click "Find and Fix" to scan your system for the Peper trojan, and allow PeperFix to remove all infected files. Restart your computer if prompted.

After your computer restarts, please run PeperFix again. Repeat the above process, and continue until PeperFix reports "No files found".

Next:

Please use the following link and follow the instructions given.

http://www.bleepingc....exe-13347.html

When finished, please run Hijack This again. Scan, copy and paste the logfile here, in this topic.

Please use the Post Reply feature to post, so I will be notified.

[jmoskus]

I ran the peper fix 3 times and it doesn't find anything. What should I do from here? J Moskus