Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Spyware Desktop Problems


  • This topic is locked This topic is locked
6 replies to this topic

#1 MoeABM

MoeABM

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 15 March 2007 - 01:19 AM

My friends computer is gettin many popups

WSC has detected spyware/adware and is preventing any changes to the desktop.
The computer is running slow and ram is filling up quickly

Please help

heres his log

===============

Logfile of HijackThis v1.99.1
Scan saved at 12:06:29 AM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
C:\Program Files\SpamBlockerUtility\SBTV\SBTV.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\N.NICK\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [bulhmrjd] C:\WINDOWS\system32\rsifgqry.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\tkwkbrrq.dll",setvm
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156641162765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156641153218
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    Advertisements

Register to Remove


#2 beynac

beynac

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 459 posts

Posted 15 March 2007 - 07:13 AM

Hi MoeABM

VundoFix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please post, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • A new HijackThis log

beynac
Honors Graduate of MalWare Removal University - A Cooperative Effort with What the Tech Classroom
Member of the Alliance of Security Analysis Professionals (ASAP)

#3 beynac

beynac

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 459 posts

Posted 20 March 2007 - 07:41 AM

It's been a few days since I posted. Are you having problems with the 'fix'? Please let me know whether you still want our help to clean your computer.
beynac
Honors Graduate of MalWare Removal University - A Cooperative Effort with What the Tech Classroom
Member of the Alliance of Security Analysis Professionals (ASAP)

#4 MoeABM

MoeABM

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 21 March 2007 - 09:26 PM

sorry its been a while since I've been over here. here is the updated log and vundofix


==============================================================

==============================================================

Logfile of HijackThis v1.99.1
Scan saved at 8:22:35 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\N.NICK\Desktop\VundoFix.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\N.NICK\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C9B2ADF-8FB5-49F5-BF64-C18F75C9DD8D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {4A67FAA2-7FF1-40A9-B22B-058E2FCE5BD5} - C:\WINDOWS\system32\ywwcfxse.dll
O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107D98AE75760EA83FA5EF80752B94E2DD7B5C7A422D38C3 - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\spamblockerutility\sbtv\sbtvhelper.dll
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: Class - {9CF9F097-E6B3-0F90-4E57-90FC20A89181} - C:\WINDOWS\uyqkp1.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\wwxlfjay.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156641162765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156641153218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

==============================================================

==============================================================


VundoFix V6.3.16

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 6:33:08 PM 3/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\dlnvgqjd.dll
C:\WINDOWS\system32\dopygloy.exe
C:\WINDOWS\system32\elsscref.exe
C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\gycmcthv.exe
C:\WINDOWS\system32\hsabdfby.exe
C:\WINDOWS\system32\ngugepir.ini
C:\WINDOWS\system32\oqiorvwk.dll
C:\WINDOWS\system32\pigrdlij.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pvylvxeu.exe
C:\WINDOWS\system32\ripegugn.dll
C:\WINDOWS\system32\uoiwwusd.dll
C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\vwquskpt.dll
C:\WINDOWS\system32\xdheicqe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dlnvgqjd.dll
C:\WINDOWS\system32\dlnvgqjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dopygloy.exe
C:\WINDOWS\system32\dopygloy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\elsscref.exe
C:\WINDOWS\system32\elsscref.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\ghkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gycmcthv.exe
C:\WINDOWS\system32\gycmcthv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hsabdfby.exe
C:\WINDOWS\system32\hsabdfby.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ngugepir.ini
C:\WINDOWS\system32\ngugepir.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqiorvwk.dll
C:\WINDOWS\system32\oqiorvwk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pigrdlij.dll
C:\WINDOWS\system32\pigrdlij.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pvylvxeu.exe
C:\WINDOWS\system32\pvylvxeu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ripegugn.dll
C:\WINDOWS\system32\ripegugn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoiwwusd.dll
C:\WINDOWS\system32\uoiwwusd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\urqqonl.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xdheicqe.dll
C:\WINDOWS\system32\xdheicqe.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\urqqonl.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.3.16

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

#5 beynac

beynac

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 459 posts

Posted 22 March 2007 - 06:07 AM

Please download the Gromozon Removal Tool from here and save it on your desktop.

DO NOT RUN IT YET.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Run the Gromozon Removal Tool
  • Double-click the icon on your desktop to run the fix.
  • Follow the prompts and let the tool reboot your machine.
  • Once back in Windows, the removal tool will complete its scanning cycle which could take several minutes.
  • A log file will be generated which you can find at C:\gromozon_removal.log
-----------------------------------------------

Please post:
  • The Gromozon Removal log
  • A new HijackThis log

beynac
Honors Graduate of MalWare Removal University - A Cooperative Effort with What the Tech Classroom
Member of the Alliance of Security Analysis Professionals (ASAP)

#6 beynac

beynac

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 459 posts

Posted 26 March 2007 - 04:44 AM

Good morning. It's been a few days since I posted. Are you having problems with the 'fix'? Please let me know whether you still want our help to clean your computer.
beynac
Honors Graduate of MalWare Removal University - A Cooperative Effort with What the Tech Classroom
Member of the Alliance of Security Analysis Professionals (ASAP)

#7 beynac

beynac

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 459 posts

Posted 29 March 2007 - 03:19 AM

Due to a lack of a responce this topic is now closed.

If you wish it reopened, please send us an email ( Click for address ) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

To help keep your PC clean follow the recommendations here by shelf life.
beynac
Honors Graduate of MalWare Removal University - A Cooperative Effort with What the Tech Classroom
Member of the Alliance of Security Analysis Professionals (ASAP)

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users