Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

multiple trojans

Started by nearlyasian , Mar 02 2007 09:29 AM

  • This topic is locked This topic is locked
35 replies to this topic

#1 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 March 2007 - 09:29 AM

well it all started when I foolishly ran an uknown untrusted .exe now I'm trying to get rid of whatever is there.

lately my virus checker AVAST has been blocking several attempts by trojans and adware to further infect my system, but I believe they are a result of the first trojan that got on here ... whatever it is

when I started this mess AVAST was blocking things every few minutes
with names like VBSTAT-C (trojan)
BHO-BG (trojan)
and lots of random .dll's infected that my system tries to access.

I've done a boot scan with AVAST and it finds nothing else

Ad-Aware returns nothing
Spybot-Search and Destroy found somethings the first time I ran it 4 days ago such as smitfraud888 (I removed that with smitfraudfix) it doesn't appear to be on my system

then 2 days later I ran spybot again and removed

They are:
DoubleClick
FastClick
MediaPlex
ReliableStats
SystemDoctor2006
Winsoftware.WinAntiVirusPro2006

I stopped two things from starting up that I believed may have been a problem too. I deleted the entries for

vsnp2std.exe and tsnp2std.exe from the startup (using msconfig)
but that didn't seem to help much


I ran AVG Anti-Spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:12:13 PM 1/03/2007

+ Scan result:



:mozilla.12:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Tom Beckingham\Cookies\tom@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.66:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.67:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.6:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.7:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.11:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.88:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.13:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.44:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.45:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.46:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.47:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.55:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.75:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.64:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.65:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end






then I ran hijackthis (2 days ago) this is its log:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:10 PM, on 1/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\CRW\shwicon.exe
C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\system32\ctfmon.exe
C:\shell\RocketDock\RocketDock.exe
C:\shell\rainlender2\Rainlendar2.exe
C:\shell\UberIcon\UberIcon Manager.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\shell\Rainmeter\Rainmeter.exe
C:\shell\Styler\Styler.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\shell\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -

t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\shell\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\shell\rainlender2\Rainlendar2.exe
O4 - HKCU\..\Run: [UberIcon] "C:\shell\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainmeter.lnk = C:\shell\Rainmeter\Rainmeter.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free

Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free

Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free

Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11

\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?LinkID=39204
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) -

http://media.labs.li.../Photosynth.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe"

/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe"

/service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32

\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe



---------------------------------------------------------------------------------------------------



a day after i ran bitdefender online scan and got some baddies



C:\VundoFix Backups\wvust.dll.bad
Infected with: MemScan:Trojan.Vundo.AF

C:\VundoFix Backups\wvust.dll.bad
Disinfection failed

C:\VundoFix Backups\wvust.dll.bad
Deleted

C:\WINDOWS\system32\vtspq.dll
Infected with: MemScan:Trojan.Vundo.AF

C:\WINDOWS\system32\vtspq.dll
Disinfection failed

C:\WINDOWS\system32\vtspq.dll
Deleted

C:\WINDOWS\system32\mljij.dll
Infected with: MemScan:Trojan.Vundo.AF

C:\WINDOWS\system32\mljij.dll
Disinfection failed

C:\WINDOWS\system32\mljij.dll
Deleted

C:\shell\apps\altab\VerCheck.exe
Infected with: Generic.Malware.dld!!.9BB4FCB4

C:\shell\apps\altab\VerCheck.exe
Disinfection failed

C:\shell\apps\altab\VerCheck.exe
Deleted








I noticed a wierd folder that wasn't there before C:\bintheredunthat

even after getting rid of all the viruses and trojans that were found, my computer is unusually sluggish especially when connected to the internet. I guess there's something still there




I used PC Tools Spyware Doctor and removed

VX2.Look2Me
EliteBar
Virtumonde


then after restarting the computer spyware Doctor detected both elitebar and vx2.look2me trying to load back in again... whats going on :(

Thanks for your help

Edited by nearlyasian, 02 March 2007 - 09:37 AM.

    Advertisements

Register to Remove

#2 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 March 2007 - 09:32 AM

here is the latest hijack this log





Logfile of HijackThis v1.99.1
Scan saved at 12:15:57 AM, on 3/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\CRW\shwicon.exe
C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\FixCamera.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\shell\RocketDock\RocketDock.exe
C:\shell\rainlender2\Rainlendar2.exe
C:\shell\UberIcon\UberIcon Manager.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\shell\Rainmeter\Rainmeter.exe
C:\shell\Styler\Styler.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Maxthon2\Maxthon.exe

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\shell\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\shell\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\shell\rainlender2\Rainlendar2.exe
O4 - HKCU\..\Run: [UberIcon] "C:\shell\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainmeter.lnk = C:\shell\Rainmeter\Rainmeter.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.li.../Photosynth.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by nearlyasian, 02 March 2007 - 09:32 AM.

#3 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 March 2007 - 11:03 AM

ok just ran spybot again after uploading latest definitions and found nurech ... and from what i can see this is a nasty trojan downloader ... i wonder if that is the root of my problems ... or just a secondary problem ... any help on this one? thanks

Edited by nearlyasian, 02 March 2007 - 11:04 AM.

#4 eharri2

eharri2

    Authentic Member

  • Authentic Member
  • PipPip
  • 63 posts

Posted 02 March 2007 - 01:10 PM

Hey nearly asian, I'm not gonna give u advice on what to do because I'm definitely not nearly qualified to tell you what to do; however, I can tell you that we have the same problem with that consistent slowing down when logged on to the internet and random problems with programs. A few hours ago, someone on TomCoyote looked at my processes and did recognize that I had a Trojan infection. They asked me to move from Computer help to HijackThis Logs and Spyware/Malware Removal and are currently working on my process list. If your problem isnt fixed by the time mine is, I guess you can just look at the way they fixed my computer and just see if that works for you or not. Regards, eharri2

#5 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 March 2007 - 08:22 PM

Top of the page eharri2 ;)

ONLY authorized members are allowed to reply to topics in this forum. This is due to damage that can be caused by improper advice.

Also adding to the thread makes us think they are being helped when the thread doen't show a zero reply.

nearlyasian

Run this online scan and post the results here.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#6 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 March 2007 - 10:08 PM

thanks alot for replying

I tried to run the Panda scan and avast recognized the process as a virus

Filename: http://acs.pandasoft...#092;pskavs.DLL
Malware name: Win32:CTX
Malware type: Virus/Worm
VPS version: 000721-0, 02/03/2007

and the only option it gave me was to abort connection.

do i need to disable avast antivirus to run it?

#7 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 March 2007 - 11:59 PM

ok I read up that the avast and panda usually have that problem, disable antivirus just to install the active X component of Panda then re-enabled that. this is the result of the Panda scan Incident Status Location Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fccbxyy.dll Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tom Beckingham\Cookies\tom@toplist[2].txt Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\Tom Beckingham\Application Data\Thunderbird\Profiles\vvhxyivu.default\Mail\mail.iinet.net.au\Inbox.sbd\OLD[~0000415.~] Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\Tom Beckingham\Application Data\Thunderbird\Profiles\vvhxyivu.default\Mail\mail.iinet.net.au\Inbox Old.sbd\2001-2003[~0000415.~] Hacktool:Exploit/iFrame Not disinfected D:\Backups\Thunderbird Profiles Backup 7-10-06.zip[Thunderbird/Profiles/vvhxyivu.default/Mail/mail.iinet.net.au/Inbox.sbd/old][~0000415.~] Hacktool:Exploit/iFrame Not disinfected D:\Backups\Thunderbird Profiles Backup 7-10-06.zip[Thunderbird/Profiles/vvhxyivu.default/Mail/mail.iinet.net.au/Inbox Old.sbd/2001-2003][~0000415.~]

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 06:04 AM

Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt and a new HiJackThis log.

Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#9 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 March 2007 - 08:43 AM

when I run it, it gives me no option to run as a task... is this a problem??? I only see two options, scan for vundo ... or remove vundo is this program being hijacked?

Edited by nearlyasian, 03 March 2007 - 08:47 AM.

#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 10:20 AM

Sorry there has been an update to the program. * Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. Post the log file. When done.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

    Advertisements

Register to Remove

#11 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 March 2007 - 11:15 AM

ok i ran it as you said, it scanned and found about 6 files, it removed 4 files successfully (hknmp.bak pmnkh.dll hknmp.ini poppo.bak2) then said it would have to reboot in order to remove the other two ("fccbxyy.dll" and "oppop.dll" ). It rebooted at least into XP without loading everything else up it said it removed those two files and then rebooted again. It didn't mention anything about the log file, and it wasn't in the same directory as the vundo fix so I'm not sure where to find it.

I ran a scan with the vundofix after the reboot and it came up clean

and then here is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:12:29 AM, on 4/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\CRW\shwicon.exe
C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\FixCamera.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\shell\RocketDock\RocketDock.exe
C:\shell\rainlender2\Rainlendar2.exe
C:\shell\UberIcon\UberIcon Manager.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\shell\Rainmeter\Rainmeter.exe
C:\shell\Styler\Styler.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {3FA9063E-539E-4042-87EA-F1D29C8213C4} - C:\WINDOWS\system32\fccbxyy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {C2A27A37-D501-4275-B33D-87622EC36505} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {D43B78C8-D707-4C23-85B0-C29452032056} - C:\WINDOWS\system32\oppop.dll (file missing)
O2 - BHO: (no name) - {DA6E79EF-70B7-40DA-9275-DE6FBA614ECD} - (no file)
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\shell\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Tom Beckingham\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\shell\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\shell\rainlender2\Rainlendar2.exe
O4 - HKCU\..\Run: [UberIcon] "C:\shell\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainmeter.lnk = C:\shell\Rainmeter\Rainmeter.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.li.../Photosynth.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 12:59 PM

Click start / then my computer / local disk (c )then follow the process tree. C:\vundofix.txt
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#13 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 March 2007 - 06:00 PM

VundoFix V6.3.12 Checking Java version... Java version is 1.4.2.1 Old versions of java are exploitable and should be removed. Scan started at 1:34:01 AM 4/03/2007 Listing files found while scanning.... C:\WINDOWS\system32\fccbxyy.dll C:\WINDOWS\system32\hknmp.bak1 C:\WINDOWS\system32\hknmp.ini C:\WINDOWS\system32\oppop.dll C:\WINDOWS\system32\pmnkh.dll C:\WINDOWS\system32\poppo.bak2 C:\WINDOWS\system32\poppo.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\fccbxyy.dll C:\WINDOWS\system32\fccbxyy.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\hknmp.bak1 C:\WINDOWS\system32\hknmp.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hknmp.ini C:\WINDOWS\system32\hknmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\oppop.dll C:\WINDOWS\system32\oppop.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\pmnkh.dll C:\WINDOWS\system32\pmnkh.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\poppo.bak2 C:\WINDOWS\system32\poppo.bak2 Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\fccbxyy.dll C:\WINDOWS\system32\fccbxyy.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\oppop.dll C:\WINDOWS\system32\oppop.dll Has been deleted! Performing Repairs to the registry. Done!

#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 07:12 PM

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Can you remove one of your anti-virus programs. Then post a new hijackthis log.

Edited by little eagle, 03 March 2007 - 07:13 PM.

Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#15 nearlyasian

nearlyasian

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 March 2007 - 08:23 PM

oh i dont have nortons antivirus installed the only symantec product i have installed is Ghost. I can uninstall that if you like

Edited by nearlyasian, 03 March 2007 - 08:23 PM.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·