Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

winfix Hijack


  • This topic is locked This topic is locked
9 replies to this topic

#1 Rick427

Rick427

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 06 December 2005 - 08:32 PM

1st time user....I am having that winfix popup come up when I am moving about the web. I am having trouble with Google too it sends me to some porn site. Help
here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 8:26:49 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
d:\PowerPanel\upssrv.exe
d:\PowerPanel\upsio.exe
C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\wvuts.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\myvsjcdy.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.0 - https://edesk01.acxi...ava/ttaD-du.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5304D599-1F4F-476D-9519-9C6104EA4CF7}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - d:\PowerPanel\upssrv.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 08 December 2005 - 05:37 PM

Hello Rick, You have a double header. The Vundo trojan and a browser hijacker: http://castlecops.com/clsid-22907.html We have a fix that will work if you will follow the directions exactly.

Thanks to Atribune and any others who helped with this fix

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\wvuts.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\stuvw.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\wvuts.dll
    O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\myvsjcdy.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
    O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 Rick427

Rick427

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 10 December 2005 - 05:04 PM

Thank you Pskelley
I could not find on of the things you wanted me to click in Vundofix. 02-BHO: MSCEvents Object-{52b1dfc7-aafc-b103-868B0683c697}-C:\windows\system32\wvuts.dll
here are the log you asked for
Incident Status Location

Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005
Adware:adware/xupiter Not disinfected C:\Documents and Settings\Rick\Favorites\Cool Stuff
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\system32\iifgd.dll
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-74220e11-4feb6bcb.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7bbcac8b-1b7014d7.zip[counter.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7bbcac8b-1b7014d7.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7bbcac8b-1b7014d7.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\p.jar-1bc4f036-111cbe72.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\p.jar-1bc4f036-111cbe72.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-503d0b18-6cb8140b.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-62e1fe3e-29b1453e.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-60713e2f-67c9de0a.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-554e4fa2.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-554e4fa2.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-554e4fa2.zip[Dummy.class]
Virus:Trojan Horse Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-554e4fa2.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-2175ff33.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-2175ff33.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-2175ff33.zip[Dummy.class]
Virus:Trojan Horse Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a5f0150-2175ff33.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-314758c3-7b39b93c.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-314758c3-7b39b93c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-314758c3-7b39b93c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-314758c3-7b39b93c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-749f41d2.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-749f41d2.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-749f41d2.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-749f41d2.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-5e73cdfc.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-5e73cdfc.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-5e73cdfc.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-5e73cdfc.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-5c08e385-526c04d0.zip[Dummy.class]
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\wvuts.dll

The second filepath entered was c:\windows\system32\stuvw.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 476 'smss.exe'

Killing PID 1432 'explorer.exe'


Killing PID 556 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\wvuts.dll Deleted sucessfully.
c:\windows\system32\stuvw.* Deleted sucessfully.

Fixing Registry
-------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:04:00 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PowerPanel\upssrv.exe
C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
d:\PowerPanel\upsio.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\wvuts.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\myvsjcdy.dll (file missing)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.0 - https://edesk01.acxi...ava/ttaD-du.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5304D599-1F4F-476D-9519-9C6104EA4CF7}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll (file missing)
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - d:\PowerPanel\upssrv.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 December 2005 - 05:21 PM

You doing ok Rick, stick with me a little longer. Here is what I want you to do now:

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

2) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\wvuts.dll (file missing)
O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\myvsjcdy.dll (file missing)
(if you do not want the following two restrictions, check and remove them)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file
(if you don't know the next one, check itand remove it)
O16 - DPF: Secure Global Desktop Client, 4.0 - https://edesk01.acxi...ava/ttaD-du.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

Run your cleaner now, then post the ewido scan result and a new HJT log for a final look.

Thanks...Phil
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 Rick427

Rick427

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 December 2005 - 02:27 PM

Phil
I Love this resorce! This havs been fun.
I still could not find on of the thing you wanted me to check in the HJT log

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html

Here is my new Logs you asked for.
thanks
Rick


Logfile of HijackThis v1.99.1
Scan saved at 2:19:44 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PowerPanel\upssrv.exe
C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
d:\PowerPanel\upsio.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\FIREFOX\FIREFOX.EXE
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.0 - https://edesk01.acxi...ava/ttaD-du.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5304D599-1F4F-476D-9519-9C6104EA4CF7}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll (file missing)
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - d:\PowerPanel\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:00:19 PM, 12/11/2005
+ Report-Checksum: 4BED5B48

+ Scan result:

:mozilla.10:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.11:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.14:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.17:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.24:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.25:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.26:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Com : Ignored
:mozilla.27:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Com : Ignored
:mozilla.31:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Adtech : Ignored
:mozilla.32:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\default.uy0\cookies.txt -> Spyware.Cookie.Adtech : Ignored
HKLM\SOFTWARE\Classes\Interface\{2E30AC01-99D7-4E9C-B13E-94E1701B0AC9} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-73586283-1606980848-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA0B9B71-C2AF-11D3-B376-0800460222F0} -> Spyware.iWon : Cleaned with backup
HKU\S-1-5-21-73586283-1606980848-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA0B9B71-C2AF-11D3-B376-0800460222F0} -> Spyware.iWon : Cleaned with backup
C:\WINDOWS\system32\iifgd.dll -> Trojan.Crypt.o : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\Documents and Settings\Rick\My Documents\Downloads\iWonPMSetup_12_1,0,2,5.exe -> Spyware.IWon : Cleaned with backup
C:\System Volume Information\_restore{641A409E-6591-4C57-B28A-0AF9451661C7}\RP874\A0030345.dll -> Trojan.Crypt.o : Cleaned with backup
C:\System Volume Information\_restore{641A409E-6591-4C57-B28A-0AF9451661C7}\RP874\A0030347.dll -> Spyware.V : Cleaned with backup
C:\System Volume Information\_restore{641A409E-6591-4C57-B28A-0AF9451661C7}\RP860\A0030192.dll -> Dialer.Generic : Cleaned with backup
D:\hijackthis\backups\backup-20051210-155659-179.dll -> Spyware.V : Cleaned with backup


::Report End

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 11 December 2005 - 03:32 PM

Hey Rick, how is the computer running? This item is still in the HJT log:
O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll (file missing)
I sure would like to get it out of it. I personally think it is nothing because the file is missing, but something is keeping it from being removed.

ewido security suite - Scan report Created on: 2:00:19 PM, 12/11/2005
For some reason you chose to ignore junk you should have removed. Most were just cookies, but I would like you to use ewido again in safe mode. If it locates anything, and you are not sure it is safe, choose to delete the item. While in safe mode we will try to remove the 020 line with HJT and see what happens. When you post this time please tell me how the computer is running. Thanks.

1) Use these instructions to start you computer in safe mode:

http://www.bleepingc...tutorial61.html

2) Once in safe mode, open ewido and choose to scan the complete system, remove everything it locates unless you are sure it is not junk.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - Winlogon Notify: wvuts - C:\WINDOWS\system32\wvuts.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Empty the recycle bin and restart the computer. Post the ewido scan results and a new HJT log.

5) To make sure nothing is hiding in System Restore, follow the directions in this link.
http://service1.syma...src=sec_doc_nam

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 Rick427

Rick427

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 December 2005 - 10:20 PM

Hey Phil
My problems seem to have gone away. The reson that i did not delete the cookies on that last ewido scan is because I had just started useung FireFox and I wanted to wright down some passwords to a new spot that I had gone to before I got rid of them.
Now.....The cookies are gone I did the safe mode thing and the sys restor thing, so here are my logs.
[color=#FF0000][b]Note
That 020 winlogon notify is gone :D
Thanks
Rick
Logfile of HijackThis v1.99.1
Scan saved at 9:14:27 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
d:\PowerPanel\upssrv.exe
d:\PowerPanel\upsio.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http//www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.0 - https://edesk01.acxi...ava/ttaD-du.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5304D599-1F4F-476D-9519-9C6104EA4CF7}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - d:\PowerPanel\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Eicon\Shiva VPN Client\icsrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:45:38 PM, 12/11/2005
+ Report-Checksum: 6014FBC9

+ Scan result:

C:\System Volume Information\_restore{641A409E-6591-4C57-B28A-0AF9451661C7}\RP875\A0032552.dll -> Trojan.Crypt.o : Cleaned with backup
D:\System Volume Information\_restore{641A409E-6591-4C57-B28A-0AF9451661C7}\RP875\A0032553.dll -> Spyware.V : Cleaned with backup


::Report End

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 12 December 2005 - 05:59 AM

Morning Rick (EST) Glad to hears things are running better. I controlFirefox cookies like IE, I override the handling proceedure for the ones I know I need for secure sites requiring them. Here are some links that hsould help you with Firefox.
http://www.mozilla.o..._priv_help.html
http://privacy.getne...fdisablecookies

Logfile of HijackThis v1.99.1 Scan saved at 9:14:27 PM, on 12/11/2005
Clean of bad stuff, I want you to look at the R0/R1 lines only. They are clutter, if you don't need them, use HJT to delete them. You will still be able to set the homepage you wish.
O2 - BHO: AcroIEHlprObj Class: if you use Adobe, free 7.0 has been released for a while.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k <<< see this http://castlecops.co...plist-9038.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

ewido security suite - Scan report Created on: 8:45:38 PM, 12/11/2005
Those items should be gone now since you purged the old SR files. Let me say the scanner and free updates are yours for as long as you like, but ewido does use some resources. Once the trial is over, unless you purchase it, make sure you turn it off so it is not running.

Ill wish safe surfing and HappY Holidays...Phil

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#9 Rick427

Rick427

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 12 December 2005 - 10:34 PM

Hi Phil
not shure about a couple of things.
Are you saying I can check all of the R0 and R1 lines to clean things up?
I shoud downdoad adobe 7.0 and put a check by these lines:
O2 - BHO: AcroIEHlprObj Class: if you use Adobe, free 7.0 has been released for a while.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k <<< see this http://castlecops.co...plist-9038.html

Thanks
Rick

Rick, I am editing your post to add this information for you:
I will try to explain more Rick. The R1 and R0 lines in this log:
Logfile of HijackThis v1.99.1 Scan saved at 9:14:27 PM, on 12/11/2005
are considered clutter. You may look at each on and click the link to see where it takes you, and you may remove all of any of them if you wish.

Adobe is a program that open PDF files (Portable Document Format) see this link: http://www.adobe.com.../readstep2.html If you use the program this new version has new features and it is free. This is optional and your choice. If you download it, Adobe give you other programs and if you have no use for them, uncheck the box so they will not install also.

If you will open this link: http://castlecops.co...plist-9038.html and read it you will know then what this line if about:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

You may follow the instuctions or not, this is also optional. These three items are NOT malware and you may choose to do as you wish.

Happy Holidays...Phil

Edited by pskelley, 13 December 2005 - 06:17 AM.


#10 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 December 2005 - 06:19 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users