Hi all,
Below is a copy of my hijackthis and ad-aware log files. Please help!
Logfile of HijackThis v1.99.1
Scan saved at 03:16:27, on 21/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINNT\hh.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\Rar$EX00.040\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {5E3C7B90-B0D0-4928-BEB6-F058D387755D} - 321102.dll (file missing)
R3 - URLSearchHook: (no name) - {5425E756-770E-E59F-700F-CA0F3F013F2F} - ParisM.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [new32] NsCplTray.exe
O4 - HKLM\..\Run: [MONITER] SysSupport.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DCC_send] MSTCPDLL.exe
O4 - HKLM\..\Run: [iehelper] runload32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [sysconf16] startman.exe
O4 - HKCU\..\Run: [keybdll] sysconf16.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [___] teqq32.exe
O4 - HKCU\..\Run: [WinInitDll] TForm1.exe
O4 - HKCU\..\Run: [progmen] xxtoolbar.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WASTE.lnk = C:\Program Files\WASTE\WASTE.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/...E_5.3.0.228.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.pixdiscount.ie/clients/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.ie/clients/uploader.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{634EC378-2EF5-4646-9D9D-C8A24E0F7E81}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Ad-Aware SE Build 1.06r1
Logfile Created on:21 November 2006 03:25:00
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:Se1R134 20.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
21-11-2006 03:25:00 - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator.SEAN.000\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1957994488-839522115-500\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1957994488-839522115-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1957994488-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1957994488-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1957994488-839522115-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 204
ThreadCreationTime : 21-11-2006 02:24:50
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 232
ThreadCreationTime : 21-11-2006 02:26:04
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 252
ThreadCreationTime : 21-11-2006 02:26:06
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 280
ThreadCreationTime : 21-11-2006 02:26:09
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 292
ThreadCreationTime : 21-11-2006 02:26:09
BasePriority : Normal
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe
#:6 [sched.exe]
FilePath : C:\Program Files\AntiVir PersonalEdition Classic\
ProcessID : 544
ThreadCreationTime : 21-11-2006 02:26:18
BasePriority : Normal
#:7 [hidserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 600
ThreadCreationTime : 21-11-2006 02:26:20
BasePriority : Normal
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : HIDSERV.EXE
#:8 [nvsvc32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 21-11-2006 02:26:21
BasePriority : Normal
FileVersion : 6.13.10.4258
ProductVersion : 6.13.10.4258
ProductName : NVIDIA Driver Helper Service, Version 42.58
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 42.58
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:9 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 676
ThreadCreationTime : 21-11-2006 02:26:22
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE
#:10 [stisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 744
ThreadCreationTime : 21-11-2006 02:26:27
BasePriority : Normal
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE
#:11 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 904
ThreadCreationTime : 21-11-2006 02:26:59
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999
#:12 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 748
ThreadCreationTime : 21-11-2006 02:27:01
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE
#:13 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 496
ThreadCreationTime : 21-11-2006 02:42:15
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE
#:14 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1500
ThreadCreationTime : 21-11-2006 02:43:16
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
#:15 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1120
ThreadCreationTime : 21-11-2006 02:43:17
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
#:16 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1180
ThreadCreationTime : 21-11-2006 02:43:18
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:17 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1244
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
FileVersion : 7.0.4
ProductVersion : QuickTime 7.0.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe
#:18 [realmon.exe]
FilePath : C:\PROGRA~1\CA\ETRUST~1\
ProcessID : 884
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : Realmon.exe
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT ™ is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : Realmon.exe
Comments : eTrust Antivirus English Version
#:19 [avgnt.exe]
FilePath : C:\Program Files\AntiVir PersonalEdition Classic\
ProcessID : 888
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
#:20 [hpwuschd2.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ProcessID : 876
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
FileVersion : 2, 0, 39, 0
ProductVersion : 2, 0, 39, 0
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard Company
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright © 2003
OriginalFilename : hpwuSchd2.exe
#:21 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ProcessID : 868
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
FileVersion : 2.1.1.0
ProductVersion : 2.1.5
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2004
OriginalFilename : HpCmpMgr.exe
#:22 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 844
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
#:23 [daemon.exe]
FilePath : C:\Program Files\DAEMON Tools\
ProcessID : 388
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
#:24 [internat.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1064
ThreadCreationTime : 21-11-2006 02:43:19
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Keyboard Language Indicator Applet
InternalName : INTERNAT
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE
#:25 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 1200
ThreadCreationTime : 21-11-2006 02:43:20
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:26 [wweb32.exe]
FilePath : C:\Program Files\WordWeb\
ProcessID : 1324
ThreadCreationTime : 21-11-2006 02:43:21
BasePriority : Normal
FileVersion : 4.0.0.0
ProductVersion : 4.0.0.0
ProductName : WordWeb
CompanyName : Antony Lewis
FileDescription : WordWeb thesaurus/dictionary
LegalCopyright : Antony Lewis 2005
Comments : See wordweb.info
#:27 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 524
ThreadCreationTime : 21-11-2006 02:56:24
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:28 [taskmgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1100
ThreadCreationTime : 21-11-2006 03:00:14
BasePriority : High
FileVersion : 5.00.2195.6620
ProductVersion : 5.00.2195.6620
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : taskmgr.exe
#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1172
ThreadCreationTime : 21-11-2006 03:12:01
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
#:30 [hh.exe]
FilePath : C:\WINNT\
ProcessID : 1004
ThreadCreationTime : 21-11-2006 03:12:12
BasePriority : Normal
FileVersion : 5.2.3644.0
ProductVersion : 5.2.3644.0
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.4
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe
#:31 [winrar.exe]
FilePath : C:\Program Files\WinRAR\
ProcessID : 1340
ThreadCreationTime : 21-11-2006 03:15:59
BasePriority : Normal
#:32 [hijackthis.exe]
FilePath : C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\Rar$EX00.040\
ProcessID : 912
ThreadCreationTime : 21-11-2006 03:16:06
BasePriority : Normal
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
ProductName : HijackThis
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : Freeware
OriginalFilename : HijackThis.exe
Comments : Version history is in Help section
#:33 [notepad.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1220
ThreadCreationTime : 21-11-2006 03:16:27
BasePriority : Normal
FileVersion : 5.00.2140.1
ProductVersion : 5.00.2140.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : NOTEPAD.EXE
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 7
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7
03:36:26 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:25.896
Objects scanned:89721
Objects identified:0
Objects ignored:0
New critical objects:0
Full Version: Malware
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
QUOTE(seanieoreilly @ Nov 20 2006, 10:28 PM) 
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Download to your Desktop, Close all Applications, Browsers, et. cet., run this small dos application from Sophos Anti-virus:
http://www.sophos.com/support/cleaners/sdbotgui.com
Then, this item : O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
Place with large listing of Rouge Anti-virus, adware/malware removal softwares
http://www.spywarewarrior.com/rogue_anti-spyware.htm
From Spywarewarrior:
--------------------------
KillAndClean: false positives work as goad to purchase
inadequate/flawed scan/detection scheme;
same application as Safe & Clean & UnSpyPC
Goto Control Panel -> Add/Remove and find and Remove item KillAndClean then reboot.
============================================
After it is done Open HijackThis and press 'SCAN' only.
Place a checkmark in all these boxes that remain and press 'FIX...'.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {5E3C7B90-B0D0-4928-BEB6-F058D387755D} - 321102.dll (file missing)
R3 - URLSearchHook: (no name) - {5425E756-770E-E59F-700F-CA0F3F013F2F} - ParisM.dll (file missing)
O4 - HKLM\..\Run: [new32] NsCplTray.exe
O4 - HKLM\..\Run: [MONITER] SysSupport.exe
O4 - HKLM\..\Run: [DCC_send] MSTCPDLL.exe
O4 - HKLM\..\Run: [iehelper] runload32.exe
O4 - HKCU\..\Run: [sysconf16] startman.exe
O4 - HKCU\..\Run: [keybdll] sysconf16.exe
O4 - HKCU\..\Run: [___] teqq32.exe
O4 - HKCU\..\Run: [WinInitDll] TForm1.exe
O4 - HKCU\..\Run: [progmen] xxtoolbar.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{634EC378-2EF5-4646-9D9D-C8A24E0F7E81}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{61D75925-2CF8-4C9D-BCBE-5E1EBD34A32A}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
TIP: Choose One Good Anti-virus program, conflicts can arise with more than one anti-virus a system.
TIP: Uninstall your old Java and Update with Newer version
Please Scan Again With HijackThis And Post Another Logfile Here.
Hi Usher,
Thanks for reply. Sorry about delay.
Below is my HJT logfile.
I could not uninstall my CA eTrust anti-virus because uninst.isu could not be found.
And don't know how to uninstall Java and update as you suggested.
Logfile of HijackThis v1.99.1
Scan saved at 20:28:23, on 22/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\msngr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TorrenTopia\TorrenTopia.exe
C:\Program Files\TorrenTopia\btdl\downloader.tt
C:\Program Files\TorrenTopia\btdl\downloader.tt
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\Rar$EX00.220\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\ivwcoawv.dll",setvm
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.ie/clients/uploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINNT\msngr.exe
Thanks for reply. Sorry about delay.
Below is my HJT logfile.
I could not uninstall my CA eTrust anti-virus because uninst.isu could not be found.
And don't know how to uninstall Java and update as you suggested.
Logfile of HijackThis v1.99.1
Scan saved at 20:28:23, on 22/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\msngr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TorrenTopia\TorrenTopia.exe
C:\Program Files\TorrenTopia\btdl\downloader.tt
C:\Program Files\TorrenTopia\btdl\downloader.tt
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\Rar$EX00.220\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\ivwcoawv.dll",setvm
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.ie/clients/uploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINNT\msngr.exe
Hello,seanieoreilly & Welcome
First Hijackthis needs to be in it's own folder
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT. then move Hijackthis.exe to that folder
NOTE: I will need for you to right click on HijackThis.exe and rename to say Cando.exe
once you move it as said above.
---------------
I am also having you download this tool VundoFix and again right click and rename to say Fixvundo.exe
and come back here with a new Cando logfile and Fixvundo log.
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Gogo
First Hijackthis needs to be in it's own folder
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT. then move Hijackthis.exe to that folder
NOTE: I will need for you to right click on HijackThis.exe and rename to say Cando.exe
once you move it as said above.
---------------
I am also having you download this tool VundoFix and again right click and rename to say Fixvundo.exe
and come back here with a new Cando logfile and Fixvundo log.
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Gogo
Hi Gogo, thanks for your help.
Both logfiles are below.
Logfile of HijackThis v1.99.1
Scan saved at 23:33:08, on 23/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\msngr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\Cando.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} - C:\WINNT\system32\gebxvtt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E9B8B6-2F74-4914-A54C-64E291658AA2} - C:\WINNT\system32\qoppm.dll
O2 - BHO: (no name) - {71888F60-FF8B-4A1B-84AA-AC7947D05F52} - C:\WINNT\system32\opnno.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\spiifgcc.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\tyojvfic.dll",setvm
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.ie/clients/uploader.cab
O20 - Winlogon Notify: qoppm - C:\WINNT\system32\qoppm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINNT\msngr.exe
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 23:16:07 23/02/2007
Listing files found while scanning....
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 23:17:20 23/02/2007
Listing files found while scanning....
C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\opnno.dll
C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yssyrhiw.dll
C:\WINNT\system32\byxvurq.dll
C:\WINNT\system32\byxywwv.dll
C:\WINNT\system32\cbxvwwx.dll
C:\WINNT\system32\cbxxyab.dll
C:\WINNT\system32\fccaxya.dll
C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\mkrqkovr.dll
C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\opnno.dll
C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yssyrhiw.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\byxvurq.dll
C:\WINNT\system32\byxvurq.dll Has been deleted!
Attempting to delete C:\WINNT\system32\byxywwv.dll
C:\WINNT\system32\byxywwv.dll Has been deleted!
Attempting to delete C:\WINNT\system32\cbxvwwx.dll
C:\WINNT\system32\cbxvwwx.dll Has been deleted!
Attempting to delete C:\WINNT\system32\cbxxyab.dll
C:\WINNT\system32\cbxxyab.dll Has been deleted!
Attempting to delete C:\WINNT\system32\fccaxya.dll
C:\WINNT\system32\fccaxya.dll Has been deleted!
Attempting to delete C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\gebxvtt.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hggedda.dll Has been deleted!
Attempting to delete C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgggeba.dll Has been deleted!
Attempting to delete C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\hgghhge.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\ivwcoawv.dll Has been deleted!
Attempting to delete C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\lyfxlikr.exe Has been deleted!
Attempting to delete C:\WINNT\system32\mkrqkovr.dll
C:\WINNT\system32\mkrqkovr.dll Has been deleted!
Attempting to delete C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\mljjkij.dll Has been deleted!
Attempting to delete C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\nnnooll.dll Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\onnpo.ini Has been deleted!
Attempting to delete C:\WINNT\system32\opnno.dll
C:\WINNT\system32\opnno.dll Has been deleted!
Attempting to delete C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnkjii.dll Has been deleted!
Attempting to delete C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\pmnnkkk.dll Has been deleted!
Attempting to delete C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\psqpffkj.dll Has been deleted!
Attempting to delete C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\qomkhhi.dll Has been deleted!
Attempting to delete C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\rqrsqqn.dll Has been deleted!
Attempting to delete C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\spiifgcc.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqopmj.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\ssqpmjh.dll Has been deleted!
Attempting to delete C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvssss.dll Has been deleted!
Attempting to delete C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\tuvtrrp.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vflkarny.exe Has been deleted!
Attempting to delete C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vtusqrr.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\vwaocwvi.ini Has been deleted!
Attempting to delete C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\wvussro.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yaywvvs.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yayyxwx.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yssyrhiw.dll
C:\WINNT\system32\yssyrhiw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Thanks again!!!
Both logfiles are below.
Logfile of HijackThis v1.99.1
Scan saved at 23:33:08, on 23/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\msngr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\Cando.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} - C:\WINNT\system32\gebxvtt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E9B8B6-2F74-4914-A54C-64E291658AA2} - C:\WINNT\system32\qoppm.dll
O2 - BHO: (no name) - {71888F60-FF8B-4A1B-84AA-AC7947D05F52} - C:\WINNT\system32\opnno.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\spiifgcc.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\tyojvfic.dll",setvm
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.ie/clients/uploader.cab
O20 - Winlogon Notify: qoppm - C:\WINNT\system32\qoppm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINNT\msngr.exe
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 23:16:07 23/02/2007
Listing files found while scanning....
VundoFix V6.3.9
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 23:17:20 23/02/2007
Listing files found while scanning....
C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\opnno.dll
C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yssyrhiw.dll
C:\WINNT\system32\byxvurq.dll
C:\WINNT\system32\byxywwv.dll
C:\WINNT\system32\cbxvwwx.dll
C:\WINNT\system32\cbxxyab.dll
C:\WINNT\system32\fccaxya.dll
C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\mkrqkovr.dll
C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\opnno.dll
C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yssyrhiw.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\byxvurq.dll
C:\WINNT\system32\byxvurq.dll Has been deleted!
Attempting to delete C:\WINNT\system32\byxywwv.dll
C:\WINNT\system32\byxywwv.dll Has been deleted!
Attempting to delete C:\WINNT\system32\cbxvwwx.dll
C:\WINNT\system32\cbxvwwx.dll Has been deleted!
Attempting to delete C:\WINNT\system32\cbxxyab.dll
C:\WINNT\system32\cbxxyab.dll Has been deleted!
Attempting to delete C:\WINNT\system32\fccaxya.dll
C:\WINNT\system32\fccaxya.dll Has been deleted!
Attempting to delete C:\WINNT\system32\gebxvtt.dll
C:\WINNT\system32\gebxvtt.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\hggedda.dll
C:\WINNT\system32\hggedda.dll Has been deleted!
Attempting to delete C:\WINNT\system32\hgggeba.dll
C:\WINNT\system32\hgggeba.dll Has been deleted!
Attempting to delete C:\WINNT\system32\hgghhge.dll
C:\WINNT\system32\hgghhge.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ivwcoawv.dll
C:\WINNT\system32\ivwcoawv.dll Has been deleted!
Attempting to delete C:\WINNT\system32\lyfxlikr.exe
C:\WINNT\system32\lyfxlikr.exe Has been deleted!
Attempting to delete C:\WINNT\system32\mkrqkovr.dll
C:\WINNT\system32\mkrqkovr.dll Has been deleted!
Attempting to delete C:\WINNT\system32\mljjkij.dll
C:\WINNT\system32\mljjkij.dll Has been deleted!
Attempting to delete C:\WINNT\system32\nnnooll.dll
C:\WINNT\system32\nnnooll.dll Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.bak1
C:\WINNT\system32\onnpo.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.bak2
C:\WINNT\system32\onnpo.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\onnpo.ini
C:\WINNT\system32\onnpo.ini Has been deleted!
Attempting to delete C:\WINNT\system32\opnno.dll
C:\WINNT\system32\opnno.dll Has been deleted!
Attempting to delete C:\WINNT\system32\pmnkjii.dll
C:\WINNT\system32\pmnkjii.dll Has been deleted!
Attempting to delete C:\WINNT\system32\pmnnkkk.dll
C:\WINNT\system32\pmnnkkk.dll Has been deleted!
Attempting to delete C:\WINNT\system32\psqpffkj.dll
C:\WINNT\system32\psqpffkj.dll Has been deleted!
Attempting to delete C:\WINNT\system32\qomkhhi.dll
C:\WINNT\system32\qomkhhi.dll Has been deleted!
Attempting to delete C:\WINNT\system32\rqrsqqn.dll
C:\WINNT\system32\rqrsqqn.dll Has been deleted!
Attempting to delete C:\WINNT\system32\spiifgcc.dll
C:\WINNT\system32\spiifgcc.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ssqopmj.dll
C:\WINNT\system32\ssqopmj.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ssqpmjh.dll
C:\WINNT\system32\ssqpmjh.dll Has been deleted!
Attempting to delete C:\WINNT\system32\tuvssss.dll
C:\WINNT\system32\tuvssss.dll Has been deleted!
Attempting to delete C:\WINNT\system32\tuvtrrp.dll
C:\WINNT\system32\tuvtrrp.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vflkarny.exe
C:\WINNT\system32\vflkarny.exe Has been deleted!
Attempting to delete C:\WINNT\system32\vtusqrr.dll
C:\WINNT\system32\vtusqrr.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vwaocwvi.ini
C:\WINNT\system32\vwaocwvi.ini Has been deleted!
Attempting to delete C:\WINNT\system32\wvussro.dll
C:\WINNT\system32\wvussro.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yaywvvs.dll
C:\WINNT\system32\yaywvvs.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yayyxwx.dll
C:\WINNT\system32\yayyxwx.dll Has been deleted!
Attempting to delete C:\WINNT\system32\yssyrhiw.dll
C:\WINNT\system32\yssyrhiw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Thanks again!!!
You are infected with the fake codec trojan (aka zlob, aka trojan.flush, aka wareout, aka kedr).
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
Log file below.
Each time I reboot since running fixwareout.exe I get the following message:
Buffer overrun detected!
C:\Programs\WINNT\Explorer.exe
Program cannot continue and must be terminated.
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 00:06 on 28 November 2006
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 00:26 on 28 November 2006
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 15:59 on 30 December 2006
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1400
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 18:18 on 10 January 2007
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1344
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 18:19 on 10 January 2007
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1344
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 17:55 on 22 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Error opening file C:\WINNT\system32\taskmgr.exe
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 18:01 on 22 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 23:35 on 24 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 23:41 on 24 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 23:54 on 24 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 23:54 on 24 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
Thanks.
Each time I reboot since running fixwareout.exe I get the following message:
Buffer overrun detected!
C:\Programs\WINNT\Explorer.exe
Program cannot continue and must be terminated.
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 00:06 on 28 November 2006
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 00:26 on 28 November 2006
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 15:59 on 30 December 2006
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1400
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 18:18 on 10 January 2007
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1344
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 18:19 on 10 January 2007
Checking services
Checking for W32/Sdbot in memory
Could not open process. Process ID: 1076
Could not open process. Process ID: 1344
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 17:55 on 22 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Error opening file C:\WINNT\system32\taskmgr.exe
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 18:01 on 22 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 23:35 on 24 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 23:41 on 24 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.19
System scan started at 23:54 on 24 February 2007
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Error opening file C:\WINNT\system32\drivers\sptd.sys
Scanning C:\WINNT\system32\drivers\etc
System scan finished at 23:54 on 24 February 2007
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
Thanks.
That's odd, can you post the fixwareout log?
QUOTE(Ai_Tak @ Mar 2 2007, 04:43 AM)
That's odd, can you post the fixwareout log?
Sorry here you go...
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csxtt.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
C:\WINNT\System32\dmpar.exe Deleted
C:\WINNT\System32\csxtt.exe Deleted
....
»»»»» Misc files.
C:\WINNT\System32\filesafer23.exe Deleted
C:\WINNT\system32\{0A85CDB0-968C-4F8D-8EF6-5C96BEAFA905}.exe Deleted
C:\WINNT\system32\{1EEF9E8B-B511-488B-B950-3C0BFC00FCC1}.exe Deleted
C:\WINNT\system32\{870BB3BB-D466-4423-8A3D-ECA631B32D65}.exe Deleted
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"DllRunning"="rundll32.exe \"C:\\WINNT\\system32\\musrlmhe.dll\",setvm"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.