Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ratm1488

4 Posts

625

April 13th, 2007 06:00

Amaena.com trojan problem...

Hey all... If anyone could help with a problem I have I would really appreciate it A little though bubble keeps popping up on windows in the running programs icons on the bottom right saying "Windows has detected a spyware infection click here..." blah blah... and sends me to amaena.com... also a bubble in the middle of the screen pops up, less often than the first saying... "System has detected a potential hazard (TrojanSPM/LX)..." this is my hijack this report... Logfile of HijackThis v1.99.1 Scan saved at 3:03:56 AM, on 4/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\WinMsg\SCLICK.EXE C:\Program Files\WinMsg\SYSMONMS.EXE C:\Program Files\WinMsg\UINST.EXE C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Documents and Settings\Sector20\My Documents\My Music\Windows-KB890830-V1.28(2).exe c:\a5b90663d2a017e16a761abcca14\mrtstub.exe C:\WINDOWS\system32\MRT.exe C:\Documents and Settings\Sector20\My Documents\My Music\FixBmalE.exe C:\DOCUME~1\Sector20\LOCALS~1\Temp\Rar$EX01.234\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/MTE3MTA=/2/3948/free1/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - C:\PROGRA~1\WinMsg\notepad.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing) O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe I have W32.Blackmal.E Remover and also Windows malicious software remover running but if anyone has any advice i would greatly appreciate it... thanks for your time

Bugbatter

4 Apprentice

 • 

20.5K Posts

April 13th, 2007 13:00

ratm1488, your log is unreadable, and HijackThis is running from a temporary folder. Please follow the instructions in the two announcements at the top of the forum for posting a HijackThis log. Repost your log, and someone will help you as soon as possible. Thanks! :)

ratm1488

4 Posts

April 13th, 2007 16:00

my apologies for the last one... so lets try this again

A little thought bubble keeps popping up on windows in the running programs icons on the bottom right saying "Windows has detected a spyware infection click here..." blah blah... and sends me to amaena.com... also a bubble in the middle of the screen pops up, less often than the first saying... "System has detected a potential hazard (TrojanSPM/LX)..." this is my hijack this report...




Logfile of HijackThis v1.99.1
Scan saved at 1:51:34 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\WinMsg\SYSMONMS.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sector20\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/MTE3MTA=/2/3948/free1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - C:\PROGRA~1\WinMsg\notepad.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



I hope this is better, and thanks again!

Bugbatter

4 Apprentice

 • 

20.5K Posts

April 13th, 2007 23:00

Yes, that is much better. Please print these instructions so you can follow them easily. You will be working in Safemode for part of this and you will not have the internet available.
Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.) Do not run it yet. We will do that later.
Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

  2. Once you have downloaded AVG AS, locate the icon on the desktop and double-click it to launch the set up program.
  3. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on AVG AS in the system tray and uncheck "Start with Windows".
  4. >
  5. Go to Start > Run and type: services.msc
  6. Press "OK".
  7. In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware guard.
  8. When you find the guard service, double-click on it.
  9. In the Properties Window > General Tab that opens, click the "Stop" button.
  10. From the drop-down menu next to "Startup Type", click on "Manual".
  11. Now click "Apply", then "OK" and close the Services window
  12. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  13. On the main screen select the icon "Update". Tthen select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
      • Close AVG Anti-Spyware, Do Not run a scan just yet.
        1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
        2. IMPORTANT: Do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning proccess:
        3. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
        4. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
        5. AVG AS will now begin the scanning process, be patient this may take a little time.
        6. Once the scan is complete do the following:
        7. If you have any infections you will prompted, then select "Apply all actions"
        8. Next select the "Reports" icon at the top.
        9. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

        11. Close AVG AS.

        12. Still in Safemode, go to Add/Remove programs and uninstall WinMsg if listed. Whether it is listed or not, please continue with the rest of these instructions.
          Delete the specified folder: C:\Program Files\ WinMsg --FOLDER

          Still in Safemode, launch HijackThis and place a check mark next to these items if they still exist:
          (I apologize for the odd spacing. The Dell forum software is not working correctly.)

          O2 - BHO:StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - C:\PROGRA~1\WinMsg\notepad.dll
          O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE

          If you or Spybot did not set these restrictions, you can fix these as well:
          O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
          O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
          O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

          Close all windows except HijackThis and click "Fix Checked".

          REBOOT your system into Normal mode.
          • Double-click VundoFix.exe to run it.
          • Click the Scan for Vundo button.
          • Once it's done scanning, click the Remove Vundo button.
          • You will receive a prompt asking if you want to remove the files,
          • click YES
          • Once you click yes, your desktop will go blank as it starts removing
          • Vundo.
          • When completed, it will prompt that it will shutdown your computer,
          • click OK.
          • Turn your computer back on.

          Note: It is possible that VundoFix encountered a file it could not
          remove.
          In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. ** If you get a warning in your VundoFix log about updating Java, do not do so until I can give you further instructions.

          Please go to your HijackThis here:
          C:\Documents and Settings\Sector20\My Documents\hijackthis\ HijackThis.exe and rename it analyzer.exe
        13. Please post your report from AVG Anti-Spyware, the contents of C:\vundofix.txt, and a new analyzer (HiJackThis) log.

        14. Thanks :)

      ratm1488

      4 Posts

      April 14th, 2007 20:00

      Thanks for all the help... no signs of the symptoms so far... here are my log files



      Logfile of HijackThis v1.99.1
      Scan saved at 5:28:43 PM, on 4/14/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
      C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
      C:\Program Files\Network Associates\VirusScan\mcshield.exe
      C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
      C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\WINDOWS\system32\wdfmgr.exe
      C:\WINDOWS\System32\alg.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
      C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
      C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
      C:\Documents and Settings\Sector20\My Documents\hijackthis\analyzer.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/MTE3MTA=/2/3948/free1/
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
      O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
      O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
      O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
      O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
      O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
      O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe





      VundoFix V6.3.19

      Checking Java version...

      Java version is 1.5.0.8
      Old versions of java are exploitable and should be removed.

      Scan started at 8:48:43 PM 4/13/2007

      Listing files found while scanning....

      No infected files were found.


      VundoFix V6.3.19

      Checking Java version...

      Java version is 1.5.0.8
      Old versions of java are exploitable and should be removed.

      Scan started at 4:25:09 PM 4/14/2007

      Listing files found while scanning....

      No infected files were found.


      Beginning removal...






      ---------------------------------------------------------
      AVG Anti-Spyware - Scan Report
      ---------------------------------------------------------

      + Created at: 3:54:53 PM 4/14/2007

      + Scan result:



      C:\System Volume Information\_restore{61DB4CFA-3614-457F-876F-0898077A1BEE}\RP420\A0084353.dll -> Adware.ErrorSafe : Cleaned.
      C:\Documents and Settings\Sector20\My Documents\My Music\vcodec2007.exe -> Dropper.Delf.ndv : Cleaned.
      :mozilla.34:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
      :mozilla.35:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
      :mozilla.36:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
      :mozilla.37:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
      :mozilla.38:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
      :mozilla.16:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
      :mozilla.98:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Com : Cleaned.
      :mozilla.18:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
      :mozilla.113:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
      :mozilla.70:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
      :mozilla.71:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
      :mozilla.72:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
      :mozilla.13:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
      :mozilla.14:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
      :mozilla.92:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
      :mozilla.93:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
      :mozilla.94:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
      :mozilla.95:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
      :mozilla.96:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
      :mozilla.62:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
      :mozilla.63:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
      :mozilla.64:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
      :mozilla.41:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
      :mozilla.102:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
      :mozilla.103:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
      :mozilla.104:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
      :mozilla.105:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
      :mozilla.77:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
      :mozilla.67:C:\Documents and Settings\Sector20\Application Data\Mozilla\Firefox\Profiles\fok7bm7e.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.


      ::Report end





      Thanks Again!

      Message Edited by ratm1488 on 04-14-2007 04:24 PM

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      April 14th, 2007 22:00

      That's good news. You did a good job! We're almost finished. There is just a bit more to do.

      Run Disk Cleanup in each user's profile:
      Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
      Please make sure the following are checked:
      -- Downloaded Program Files
      -- Temporary Internet Files
      -- Recycle Bin
      -- Temporary Files
      Click "OK" and Disk Cleanup will delete those files for you.

      Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

      Updating Java:
      • Download the latest version of Java Runtime Environment (JRE) 6.
      • Scroll down to where it says "Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".
      • Click the "Download" button to the right.
      • Check the box that says: "Accept License Agreement".
      • The page will refresh.
      • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
      • Close any programs you may have running - especially your web browser.
      • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
      • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
      • Click the Remove or Change/Remove button.
      • Repeat as many times as necessary to remove each Java versions.

      • Reboot your computer once all Java components are removed.
      • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

      Official JAVA Installation Instructions if needed.


      Following that, please post a fresh analyzer (HijackThis) log for final review.

      ratm1488

      4 Posts

      April 15th, 2007 15:00

      done and done...


      Logfile of HijackThis v1.99.1
      Scan saved at 12:05:30 PM, on 4/15/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
      C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
      C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
      C:\Program Files\Network Associates\VirusScan\mcshield.exe
      C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
      C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\WINDOWS\system32\wdfmgr.exe
      C:\WINDOWS\System32\alg.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
      C:\Documents and Settings\Sector20\My Documents\hijackthis\analyzer.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/MTE3MTA=/2/3948/free1/
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
      O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
      O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
      O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
      O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
      O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
      O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
      O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
      O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe






      I thought everything was good... until I tried to log onto World of Warcraft, and it told me that I have "Trojan-Downloader.Win32 variant" although I have no symptoms like before... grr

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      April 15th, 2007 16:00

      "it told me that I have "Trojan-Downloader.Win32 variant" WHAT told you that you have the Trojan-Downloader.Win32 variant? WOW has had some real malware issues lately. At least you have a more secure version of Java now.
      Let's run AVG Anti-Spyware in safemode, and please post the AVG AS log along with another HJT log.

      Was this post helpful?

      View All

      No Events found!

      Top