Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91982 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Remove Malware/Spyware/Unwanted Popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 pasei

pasei

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 19 February 2007 - 04:40 AM

Hi,

Im a newbie to this, and have obviously clicked something I shouldnt have... I am now getting loads of unwanted popups and offical looking "Spyware Removal Wizard" windows.

Ive tried installing different adware software and virus scanners which have found infections but obviously not removed the underlying problem. I did a search and saw that other people have been able to solve the problem using your expertise. I have completed a scan using Highjackthis and it is pasted below

I hope you can help. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 10:30:31, on 19/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Sysmgt\eTrav6\InoRpc.exe
C:\Sysmgt\eTrav6\InoRT.exe
C:\Sysmgt\eTrav6\InoTask.exe
C:\WINNT\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\Sysmgt\eTrav6\realmon.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINNT\system32\taskswitch.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cafevik.fs.fujitsu.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Sysmgt\eTrav6\realmon.exe -s
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\system32\fast.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [akjdjim.dll] C:\WINNT\system32\rundll32.exe "D:\PROFILES\ansahp\Local Settings\Application Data\akjdjim.dll",fczpaoe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Proxy Monitor] "C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe" -atstartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123773581890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137594725350
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: Fujitsu Services VPN Manager (FS_VPNmanager) - Fujitsu Services - C:\WINNT\FSVPNManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoTask.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove


#2 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 20 February 2007 - 01:42 PM

Rename HijackThis.exe to scanner.exe

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post back with the vundofix log and a new HijackThis log

#3 pasei

pasei

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 20 February 2007 - 03:09 PM

Thank You.

I have completed running vundofix.exe several times now until it no longer finds any vundo.
Both logs are below. I have just now (just before writing this post) had the "Spyware Removal Wizard" window apear again, any idea what else I can do as a next step please?

Thanks again in advance


Vundo Log
========



VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 19:48:28 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\hhkmp.bak1
C:\WINNT\system32\hhkmp.bak2
C:\WINNT\system32\hhkmp.ini
C:\WINNT\system32\pmkhh.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\hhkmp.bak1
C:\WINNT\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\hhkmp.bak2
C:\WINNT\system32\hhkmp.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\hhkmp.ini
C:\WINNT\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINNT\system32\pmkhh.dll
C:\WINNT\system32\pmkhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 19:59:47 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:14:01 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:22:45 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:30:54 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:47:40 20/02/2007

Listing files found while scanning....

No infected files were found.




New Highjackthis Log
===========


Logfile of HijackThis v1.99.1
Scan saved at 20:53:11, on 20/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Sysmgt\eTrav6\InoRpc.exe
C:\Sysmgt\eTrav6\InoRT.exe
C:\Sysmgt\eTrav6\InoTask.exe
C:\WINNT\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\Sysmgt\eTrav6\realmon.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINNT\system32\taskswitch.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Downloads\HighjackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cafevik.fs.fujitsu.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64497D22-52C9-AE3B-9036-014519F3CD2B} - C:\WINNT\system32\mhdrhjm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8C32931D-9CBC-4126-83BA-55EAAA25B255} - C:\WINNT\system32\efcaaax.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\tggjxbge.dll (file missing)
O2 - BHO: (no name) - {E9652443-705C-4103-B35C-0796AC17A2CE} - C:\WINNT\system32\pmkhh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Sysmgt\eTrav6\realmon.exe -s
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\system32\fast.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [akjdjim.dll] C:\WINNT\system32\rundll32.exe "D:\PROFILES\ansahp\Local Settings\Application Data\akjdjim.dll",fczpaoe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Proxy Monitor] "C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe" -atstartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123773581890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137594725350
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A43503A-2BA6-431F-AD7B-57F0CC2F0247}: NameServer = 194.106.56.6 194.106.33.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A43503A-2BA6-431F-AD7B-57F0CC2F0247}: NameServer = 194.106.56.6 194.106.33.42
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PSUTY - C:\WINNT\SYSTEM32\PSUWNP.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winvfw32 - C:\WINNT\SYSTEM32\winvfw32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: Fujitsu Services VPN Manager (FS_VPNmanager) - Fujitsu Services - C:\WINNT\FSVPNManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoTask.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 20 February 2007 - 04:34 PM

Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Select Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes (one line per box):
    • C:\WINNT\system32\mhdrhjm.dll
      C:\WINNT\SYSTEM32\winvfw32.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {64497D22-52C9-AE3B-9036-014519F3CD2B} - C:\WINNT\system32\mhdrhjm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8C32931D-9CBC-4126-83BA-55EAAA25B255} - C:\WINNT\system32\efcaaax.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\tggjxbge.dll (file missing)
O2 - BHO: (no name) - {E9652443-705C-4103-B35C-0796AC17A2CE} - C:\WINNT\system32\pmkhh.dll (file missing)
O4 - HKLM\..\Run: [akjdjim.dll] C:\WINNT\system32\rundll32.exe "D:\PROFILES\ansahp\Local Settings\Application Data\akjdjim.dll",fczpaoe
O20 - Winlogon Notify: winvfw32 - C:\WINNT\SYSTEM32\winvfw32.dll

Then close all windows except HijackThis and click Fix Checked

Use windows explorer to find and delete this file:

D:\PROFILES\ansahp\Local Settings\Application Data\akjdjim.dll

Post back with the vundofix log and a new HijackThis log

#5 pasei

pasei

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 20 February 2007 - 06:13 PM

Thank you again...
All steps completed to the letter...

Here are the resulting logs:



Current VundoFix Log
==============



VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 19:48:28 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\hhkmp.bak1
C:\WINNT\system32\hhkmp.bak2
C:\WINNT\system32\hhkmp.ini
C:\WINNT\system32\pmkhh.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\hhkmp.bak1
C:\WINNT\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\hhkmp.bak2
C:\WINNT\system32\hhkmp.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\hhkmp.ini
C:\WINNT\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINNT\system32\pmkhh.dll
C:\WINNT\system32\pmkhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 19:59:47 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:14:01 20/02/2007

Listing files found while scanning....

C:\WINNT\system32\efcaaax.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efcaaax.dll
C:\WINNT\system32\efcaaax.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:22:45 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:30:54 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 20:47:40 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 23:29:27 20/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 23:36:28 20/02/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINNT\system32\mhdrhjm.dll
C:\WINNT\system32\mhdrhjm.dll Has been deleted!

Attempting to delete C:\WINNT\SYSTEM32\winvfw32.dll
C:\WINNT\SYSTEM32\winvfw32.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.8

Checking Java version...

Sun Java not detected
Scan started at 23:57:24 20/02/2007

Listing files found while scanning....

No infected files were found.




Latest Highjackthis Log
===============


Logfile of HijackThis v1.99.1
Scan saved at 00:02:13, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Sysmgt\eTrav6\InoRpc.exe
C:\Sysmgt\eTrav6\InoRT.exe
C:\Sysmgt\eTrav6\InoTask.exe
C:\WINNT\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\Sysmgt\eTrav6\realmon.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINNT\system32\taskswitch.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Downloads\HighjackThis\scanner.exe
C:\Sysmgt\AVengine\InoDist.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cafevik.fs.fujitsu.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Sysmgt\eTrav6\realmon.exe -s
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\system32\fast.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Proxy Monitor] "C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe" -atstartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123773581890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137594725350
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PSUTY - C:\WINNT\SYSTEM32\PSUWNP.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: Fujitsu Services VPN Manager (FS_VPNmanager) - Fujitsu Services - C:\WINNT\FSVPNManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoTask.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#6 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 21 February 2007 - 08:53 AM

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log and a new HijackThis log, and let me know how its running now

#7 pasei

pasei

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 21 February 2007 - 11:14 AM

Hi random/random

My computer seems to be running much better now and have not had a popup since completing the last set of steps. THANK YOU!!!

KAV did find some things
Here are the KAV and Highjackthis logs

KAV.txt
=====


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 21, 2007 4:40:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/02/2007
Kaspersky Anti-Virus database records: 271599
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 72840
Number of viruses found: 5
Number of infected objects: 19 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:58:34

Infected Object Name / Virus Name / Last Action
C:\Program Files\Zone Labs\Integrity Client\zlxeap.log Object is locked skipped
C:\Sysmgt\eTrav6\DB\rtmaster.dbf Object is locked skipped
C:\Sysmgt\eTrav6\DB\rtmaster.ntx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP46\A0008703.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP46\A0008705.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP46\A0008708.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP55\A0010212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP55\A0010266.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP55\A0010267.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP56\change.log Object is locked skipped
C:\VundoFix Backups\efcaaax.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\VundoFix Backups\mhdrhjm.dll.bad Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\VundoFix Backups\winvfw32.dll.bad Infected: Trojan.Win32.Agent.qt skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\Fujitsu Services_1166466888640.RDB Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\Internet Logs\UK941145LT.ldb Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\gtlkohgw.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\ZLT059d6.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\PROFILES\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\PROFILES\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\PROFILES\ansahp\Application Data\$_hpcst$.hpc Object is locked skipped
D:\PROFILES\ansahp\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
D:\PROFILES\ansahp\Application Data\Microsoft\Outlook\FJS-ansahp.NK2 Object is locked skipped
D:\PROFILES\ansahp\Application Data\Microsoft\Outlook\FJS-ansahp.srs Object is locked skipped
D:\PROFILES\ansahp\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
D:\PROFILES\ansahp\Cookies\index.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\Working\database_A248_9418_4893_E8F5\dfsr.db Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\Working\database_A248_9418_4893_E8F5\fsr.log Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\Working\database_A248_9418_4893_E8F5\fsrtmp.log Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Messenger\pasei@hotmail.com\SharingMetadata\Working\database_A248_9418_4893_E8F5\tmp.edb Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Outlook\outlook1.ost Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Windows Live Contacts\pasei@hotmail.com\real\members.stg Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Application Data\Microsoft\Windows Live Contacts\pasei@hotmail.com\shadow\members.stg Object is locked skipped
D:\PROFILES\ansahp\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\History\History.IE5\MSHist012007022120070222\index.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\ExchangePerflog_8484fa3160bf269fcedf040b.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\mst427.tmp Infected: Trojan.Win32.Agent.qt skipped
D:\PROFILES\ansahp\Local Settings\Temp\mst435.tmp Infected: Trojan.Win32.Agent.qt skipped
D:\PROFILES\ansahp\Local Settings\Temp\mst440.tmp Infected: Trojan.Win32.Agent.qt skipped
D:\PROFILES\ansahp\Local Settings\Temp\WCESLog.log Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\win42F.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bgn skipped
D:\PROFILES\ansahp\Local Settings\Temp\win433.tmp.exe Infected: Trojan.Win32.Agent.qt skipped
D:\PROFILES\ansahp\Local Settings\Temp\~DF2B40.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~DF2B4D.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~DF82D7.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~DFDF72.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~DFDF8D.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~WRF0003.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temp\~WRS0002.tmp Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temporary Internet Files\Content.IE5\7OLC95FI\xc29[1].exe Infected: Trojan.Win32.Agent.qt skipped
D:\PROFILES\ansahp\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\PROFILES\ansahp\Local Settings\Temporary Internet Files\Content.IE5\MZC1W30B\antzom[1].exe Infected: Trojan-Downloader.Win32.Agent.bgn skipped
D:\PROFILES\ansahp\ntuser.dat Object is locked skipped
D:\PROFILES\ansahp\NTUSER.DAT.LOG Object is locked skipped
D:\PROFILES\LocalService\Cookies\index.dat Object is locked skipped
D:\PROFILES\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\PROFILES\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\PROFILES\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\PROFILES\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\PROFILES\LocalService\ntuser.dat Object is locked skipped
D:\PROFILES\LocalService\NTUSER.DAT.LOG Object is locked skipped
D:\PROFILES\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\PROFILES\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\PROFILES\NetworkService\ntuser.dat Object is locked skipped
D:\PROFILES\NetworkService\NTUSER.DAT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP46\A0008749.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
D:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP55\A0010284.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
D:\System Volume Information\_restore{9114D9C5-F128-4054-B123-59C636A9CAB5}\RP56\change.log Object is locked skipped

Scan process completed.





Highjackthis Log
===========


Logfile of HijackThis v1.99.1
Scan saved at 17:07:12, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Sysmgt\eTrav6\InoRpc.exe
C:\Sysmgt\eTrav6\InoRT.exe
C:\Sysmgt\eTrav6\InoTask.exe
C:\WINNT\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINNT\system32\taskswitch.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\Downloads\HighjackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cafevik.fs.fujitsu.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Sysmgt\eTrav6\realmon.exe -s
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\system32\fast.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Proxy Monitor] "C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe" -atstartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123773581890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137594725350
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fs.fujitsu.com,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fs.fujitsu.com,
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PSUTY - C:\WINNT\SYSTEM32\PSUWNP.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: Fujitsu Services VPN Manager (FS_VPNmanager) - Fujitsu Services - C:\WINNT\FSVPNManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoTask.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#8 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 21 February 2007 - 11:29 AM

Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Select Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.
Use windows explorer to find and delete this file:

C:\WINNT\system32\gtlkohgw.dll

Post back with a new HijackThis log

#9 pasei

pasei

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 21 February 2007 - 11:39 AM

I have deleted the file
Here is my latest Highjackthis log

THANK YOU AGAIN! You are a life saver! I have also not had any popups!

Highjackthis Log
===========


Logfile of HijackThis v1.99.1
Scan saved at 17:36:43, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Sysmgt\eTrav6\InoRpc.exe
C:\Sysmgt\eTrav6\InoRT.exe
C:\Sysmgt\eTrav6\InoTask.exe
C:\WINNT\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINNT\system32\taskswitch.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Downloads\HighjackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cafevik.fs.fujitsu.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Sysmgt\eTrav6\realmon.exe -s
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\system32\fast.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Proxy Monitor] "C:\Program Files\Internet Explorer Proxy Monitor\ieprxmon.exe" -atstartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123773581890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137594725350
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fs.fujitsu.com,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fs.fujitsu.com,
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PSUTY - C:\WINNT\SYSTEM32\PSUWNP.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: Fujitsu Services VPN Manager (FS_VPNmanager) - Fujitsu Services - C:\WINNT\FSVPNManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Sysmgt\eTrav6\InoTask.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#10 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 21 February 2007 - 11:43 AM

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit wiht too many spam posting to allow guest posting to continue just find your country room and register your complaint.
The infection you had was Vundo

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot.

    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • Keep your antivirus and firewall updated
  • Keep windows up to date with the latest patches


    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  • Install spywareblaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    Make sure to update it on a regular basis
  • Install IE-SPYAD
    Dowload and instructions located here
    Make sure to update it on a regular basis
  • Use a HOSTS file
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Install and use Ad-aware & Spybot search & destroy
    Instructions are located here
    Make sure to update them on a regular basis
  • Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
    Two good alternative browsers are
    Firefox
    Opera
    It is essential to update to the latest version of your browser, as the updates fix known security holes
  • Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
  • Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#11 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 24 March 2007 - 05:37 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users