Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Popups, Possible Winfixer, And Other Issues


  • This topic is locked This topic is locked
8 replies to this topic

#1 FFAeon

FFAeon

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 23 April 2007 - 10:34 PM

Hi, I was using firefox and noticed some suspicious processes and files that started to run. I at first had popups, but was able to clean some things using Adaware. However, I noticed in the hijackthis log that a few suspicious entries now exist especially when I changed the hijackthis.exe file to test.exe to see if it would show any difference. Any help in this matter would be greatly appreciated.

Here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:49 AM, on 4/24/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\oodag.exe
D:\WINDOWS\System32\svchost.exe
C:\RealVNC\WinVNC\WinVNC.exe
D:\WINDOWS\System32\MsPMSPSv.exe
G:\FireFox\firefox.exe
D:\WINDOWS\explorer.exe
C:\HiJackThis\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailymanga.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\System32\nbscghuf.dll (file missing)
O2 - BHO: (no name) - {34E2AF10-3282-1F58-A341-6BE33A90FD9C} - D:\WINDOWS\System32\ouutxxms.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - D:\WINDOWS\System32\khfefge.dll
O2 - BHO: (no name) - {909E7522-6177-4FD5-A733-5EF6F64AC0E4} - D:\WINDOWS\System32\mljjk.dll
O2 - BHO: (no name) - {918A2CAC-DF15-4860-9951-13E5CFF23CD0} - D:\WINDOWS\System32\mokdnpbe.dll (file missing)
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "G:\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: khfefge - D:\WINDOWS\SYSTEM32\khfefge.dll
O20 - Winlogon Notify: mljjk - D:\WINDOWS\System32\mljjk.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\PerfectDisk\PDSched.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 24 April 2007 - 04:25 PM

FFAeon :D

Welcome back to the forum. Your Operating System is out of date and letting this bad stuff in, we have cleaned you up numerous times and you keep coming back for help on account of it. After we get you clean you need to update your system.


Your infected with Vundo, lets do this.

Print this out as we will be offline for part of the fix.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\System32\nbscghuf.dll (file missing)
O2 - BHO: (no name) - {34E2AF10-3282-1F58-A341-6BE33A90FD9C} - D:\WINDOWS\System32\ouutxxms.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - D:\WINDOWS\System32\khfefge.dll
O2 - BHO: (no name) - {909E7522-6177-4FD5-A733-5EF6F64AC0E4} - D:\WINDOWS\System32\mljjk.dll
O2 - BHO: (no name) - {918A2CAC-DF15-4860-9951-13E5CFF23CD0} - D:\WINDOWS\System32\mokdnpbe.dll (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe

O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)

O20 - Winlogon Notify: khfefge - D:\WINDOWS\SYSTEM32\khfefge.dll
O20 - Winlogon Notify: mljjk - D:\WINDOWS\System32\mljjk.dll




Run this system cleaner.


Download and Install CCleaner
If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner




Download: DelDomains and save it to the desktop.
  • Close all open windows and your browser
  • Right Click DelDomains.inf and select > Install
  • Reboot your computer

I need to see the Vundo log and a New HJT log please

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#3 FFAeon

FFAeon

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 24 April 2007 - 06:19 PM

Hey, thanks for the reply. The main reason why I haven't updated yet was that I was afraid of incompatibilities and problems that might occur with some of the updates (as I've heard about SP2), and I wasn't sure what would be most recommended in this case. I would appreciate any advice in this matter.

Soon after I posted the hijacklog, my system was being overloaded with what seemed like a virus with hundreds of popups, so I tried to restart in safe mode, but was forced to do a system restore to a few days ago before this problem occurred. I ran some scans and deleted what I could afterwards as well, but I'm sure there's still traces of what's left. I started your instructions right after this.

**As per your instructions, here's the Vundo Fix log (should that Java version be updated?):

VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:27:15 PM 4/24/2007

Listing files found while scanning....

D:\WINDOWS\system32\vtuuuuv.dll

Beginning removal...

Attempting to delete D:\WINDOWS\system32\vtuuuuv.dll
D:\WINDOWS\system32\vtuuuuv.dll Has been deleted!

Performing Repairs to the registry.
Done!

-------------------------------------------------------------

Here's the new Hijackthis log (look.exe log):

Logfile of HijackThis v1.99.1
Scan saved at 8:20:36 PM, on 4/24/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\oodag.exe
D:\WINDOWS\System32\svchost.exe
C:\RealVNC\WinVNC\WinVNC.exe
D:\WINDOWS\System32\MsPMSPSv.exe
G:\FIREFOX\FIREFOX.EXE
D:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\look.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailymanga.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "G:\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\PerfectDisk\PDSched.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

---------------------------------------

Thanks for the help.

#4 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 24 April 2007 - 07:17 PM

FFAeon,

You did well, your log looks fine :thumbup: One of the main reasons that some people don't upgrade to SP2 is because they heard that it has caused problems. Thats true if you don't do it properly, between work, friends and working on computers on the weekends I have upgraded to SP2 on over a 100 machines with no problems. We can get into this when we are sure your all clean.

I would like you to run these files through Killbox.

Download Pocket Killbox to your desktop.

Highlight all the files with the complete path inside the quote and press Ctrl C on your keyboard.
  • D:\WINDOWS\System32\khfefge.dll
    D:\WINDOWS\System32\mljjk.dll
    D:\WINDOWS\System32\mokdnpbe.dll
    D:\WINDOWS\System32\nbscghuf.dll
    D:\WINDOWS\System32\ouutxxms.dll

  • Open Pocket Killbox
  • Go to File > Paste from clipboard
  • Set it to Delete on Reboot
  • Tick the box that says End Explorer shell while killing file
  • If its not greyed out..Click the radio button that say Unregister .dll before deleting.
  • Make sure ALL Files is selected
  • Click on the Red circle with the white X
  • It will ask you to confirm the deletion...Say yes
  • It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.



Being you had such a nasty infection on your system, lets run the trial of AVG Anti Spyware, be sure to follow the instructions to remove or quarantine what it finds and I need to see the report, it will tell me what and what was not removed along with possible tell tale signs that could show if something is still lurking on your system. So be sure to save the report so you can post it in your next reply.

Download and install the 30 day trial of AVG Anti-Spyware 7.5 to your desktop.
  • Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG and update the definition files.
  • On the main screen select the icon Update then select the Update now link.
  • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
  • Under Reports
  • Select Automatically generate report after every scan
  • Un-Select Only if threats were found
  • Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.
Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
  • If you have any infections you will prompted, then select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
  • make sure to remember where you saved that file, this is important
  • Close AVG Anti-Spyware 7.5

Let me see the AVG report and a New HJT log please.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#5 FFAeon

FFAeon

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 25 April 2007 - 11:32 AM

Here's the scanner report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:24:57 PM 4/25/2007

+ Scan result:



D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050840.exe -> Adware.Agent : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050774.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050775.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050776.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050779.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050796.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050797.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050809.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050815.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050816.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050817.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Documents and Settings\KC\Application Data\Αdobe\wυcrtupd.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050704.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050705.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050773.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050800.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050801.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050802.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0046689.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050777.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050781.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050803.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050804.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050805.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050811.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050768.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050771.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050782.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050782.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050782.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050835.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050837.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050834.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050858.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
D:\VundoFix Backups\vtuuuuv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0047677.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050812.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050838.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050810.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050824.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050808.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050822.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050813.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050692.EXE -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
D:\WINDOWS\system32\torm.dll -> Logger.Banker.cnx : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050799.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050807.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050814.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050821.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0046688.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050823.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
D:\RECYCLER\bin32\PSKILL.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0047685.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050689.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050828.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0047686.dll -> Proxy.Agent.jk : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050688.dll -> Proxy.Agent.jk : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050798.dll -> Proxy.Agent.jk : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050787.exe -> Proxy.Agent.lp : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
D:\WINDOWS\system32\config\systemprofile\Cookies\system@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.44:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\KC\Cookies\kc@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\KC\Cookies\kc@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
D:\WINDOWS\system32\config\systemprofile\Cookies\system@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.25:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.28:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.29:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.30:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\KC\Cookies\kc@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.26:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.27:D:\Documents and Settings\KC\Application Data\Mozilla\Firefox\Profiles\default.z4q\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050778.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050767.exe -> Trojan.Rond : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP456\A0047676.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050793.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
D:\WINDOWS\ase.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
D:\WINDOWS\sys02398568454.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{4B3EF653-F7AB-4CE2-9014-F4AD7FD93E8E}\RP457\A0050788.exe -> Worm.Zhelatin.cz : Cleaned with backup (quarantined).


::Report end

-----------------------------------------

Here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:36:52 PM, on 4/25/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\AVG Anti-Spyware 7.5\avgas.exe
G:\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\oodag.exe
D:\WINDOWS\System32\svchost.exe
C:\RealVNC\WinVNC\WinVNC.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\System32\wuauclt.exe
G:\FIREFOX\FIREFOX.EXE
C:\HiJackThis\look.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailymanga.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "G:\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\PerfectDisk\PDSched.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

--------------------------------------------

Thanks again.

#6 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 25 April 2007 - 11:44 AM

Your HJT log looks clean :thumbup: AVG found a few bad files and removed them, the rest where harmless cookies, but you have some serious stuff in your System Restore Program that we need to remove so as not to reinfect yourself.

First Open AVG and go to the Quarantine folder and remove it all, nothing in there you want to keep.

Follow this to flush out your System Restore Program and I can't stress enough how important it is to Create a New Restore Point.



System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.
  • Right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.


Turn ON System Restore.
  • Right-click My Computer.
  • ClickProperties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
  • Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point <--You will have to be in Catagory View to see this
    You can name the restore point anything you like, something that you can remember
System Restore Tutorial <-- If you need it


How are things running now??

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#7 FFAeon

FFAeon

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 25 April 2007 - 02:26 PM

Things seem to be running perfectly, thanks alot for the help once again. The AVG Anti-Spyware tool seems like a good program to use to prevent some attacks from occurring; I didn't realize I had so much junk my restore points and other areas.

#8 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 25 April 2007 - 04:54 PM

AVG Anti Spyware is yours to keep after the trial, you can still check for updates, run scans and remove what it finds, you will just lose the Background Guard feature after the trial so your call if you want to keep it or not.


Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.


Here are some free programs to install, don't leave home without them
  • Spybot Search and Destroy 1.4
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  • Ad-Aware SE Personal 1.06
    Check for Updates and run a Full System Scan on a regular basis.
  • Spyware Blaster It will prevent most spyware from ever being installed.
  • Spyware Guard It offers realtime protection from spyware installation attempts.
  • Win Patrol This program will warn you when any changes are being made to your system and give you the option to deny the change.
  • IE-Spyad
    IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Thanks for stopping by Tom Coyote , I'm glad I was able to help you. :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#9 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 May 2007 - 10:42 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users