Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mkorwek

7 Posts

907

August 18th, 2006 03:00

HJT Log - PLEASE help interpret - Computer runs poorly

Computer has been running poorly, as I have been battling an ongoing trojan/worm/spyware problem for about a week now.  I really don't see a whole lot of pop-ups anymore, but my computer runs really badly.  Simple tasking (folder exploring, MS Word, etc.) or using the internet often crashes explorer or causes my desktop icons and taskbar to temporarily disappear (I'm guessing explorer restarting on its own??).  Please help if you can, my HJT log is below.  I have already tried using Smitfraud and VundoFix, as well as up-to-date Norton scans, Ewido, Spybot S&D, Prevx1, and even Microsoft Defender.  Please HELP me to rid this thing once and for all!!

Thanks,

Mike

 

Logfile of HijackThis v1.99.1
Scan saved at 12:27:23 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R3 - URLSearchHook: (no name) - {5589EBD6-236C-7497-15FF-2C2753FAE295} - C:\WINDOWS\system32\ngq.dll (file missing)
R3 - URLSearchHook: (no name) - {917EAA7B-34C1-6F68-BEC5-3FB6AA95249F} - C:\WINDOWS\system32\ozgo.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\STEM32~1\alg.exe" -vt yazb
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aam: C:\Program Files\Internet Explorer\PLUGINS\np32asw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://docs.us.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/plugin/axversion/1000/printQuick.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/idenupdate/iUpdateAutoLaunch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://cs3.hhlaw.com/vdesk/terminal/urTermProxy.cab#version=5400,0,50131,1
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://cs3.hhlaw.com/vdesk/terminal/urxhost.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/36/install/gtdownde.cab
O20 - AppInit_DLLs:  C:\WINDOWS\system32\taskmgr.dll C:\WINDOWS\system32\mshta.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Bod99

561 Posts

August 20th, 2006 10:00

Hi Mike,

I'm Bod and here to help you with your Hijack This log.

Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

I've had a look through your log and I now have some instructions for you to follow.

Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.

You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.

Please follow and carry out all the steps in the instructions in the order I've listed them.

Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.

Step 1
Click Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for all of the following programs that appear in the list (not all may be there).
PuritySCAN By OIN
OIN
OuterInfo
or anything similar
Do not reboot until you have attempted to remove all of these entries that you find.

Step 2
Run Hijack This, don't have any other programs open, and click " Scan".
In the scan results, click on the check box for all of the following lines that are present.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R3 - URLSearchHook: (no name) - {5589EBD6-236C-7497-15FF-2C2753FAE295} - C:\WINDOWS\system32\ngq.dll (file missing)
R3 - URLSearchHook: (no name) - {917EAA7B-34C1-6F68-BEC5-3FB6AA95249F} - C:\WINDOWS\system32\ozgo.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\STEM32~1\alg.exe" -vt yazb
O20 - AppInit_DLLs: C:\WINDOWS\system32\taskmgr.dll C:\WINDOWS\system32\mshta.dll
Click on " Fix checked".

Step 3
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the " Display the contents of system folders" and " Show hidden files and folders" check boxes. Uncheck
the " Hide protected operating system files (recommended)" option.
Click " Yes" to confirm.
Click " OK".
Navigate to the following folder and files and delete each of them. Some may not be present.
Folder (delete with all contents)
C:\Program Files\PurityScan
Files
C:\WINDOWS\system32\ngq.dll
C:\WINDOWS\system32\ozgo.dll
C:\WINDOWS\system32\taskmgr.dll
C:\WINDOWS\system32\mshta.dll

You also need to search for a file.
Click Start > Search > All Files and Folders > More advanced options
Make sure that there is a tick in the check box for " Search System Folders", " Search hidden files and folders", and " Search subfolders"
One at a time, enter each of the following file names in " All or part of file name" and click on " Search".
alg.exe
Be very carefull here, there is a legitimate windows file in the C:\windows\system32 folder. Do not delete this copy, the copy you need to delete will be in a folder starting with C:\WINDOWS\STEM32
If the file is found, delete it
Reboot as normal.

Step 4
Run Hijack This, " Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.

Thanks,

Bod

Bod99

561 Posts

August 29th, 2006 18:00

Hi,

It's now been at least 7 days since your last post. I am presuming now that your problem has been solved and this topic is now inactive.

I will keep tabs on this post for another 7 days from this date, after which if you need help you should start a new topic.

If you should wish to reply before the 7 days has passed then simply please post a fresh HJT log before proceeding further.

Thanks,

Bod

mkorwek

7 Posts

September 6th, 2006 04:00

Bod - Thanks for all of your help thus far and sorry for taking so long to get back to you when you lend a helping hand.  I have been traveling the past weeks and I was unable to follow your instructions sooner.

I followed step 1 and 2 of your instructions, but am unable to successfully get into safe mode.  My computer does one of two things when I try to get into safe mode - it either allows me to get in for about a minute or two and then goes to a black screen where all I can do is move the mouse (no icons, start button or taskbar), or it goes directly to this black screen.  Not sure what that means, but it still sounds like there a problem with explorer loading or running.  I am able to get into Safe Mode with command prompt, where I tried to manually delete the files you specified but none of them were found in the Windows/System32 folder. 

Also, even after removing the strings you told me to take out of HiJackThis in step 2, I still have all the same problems and I am getting a lot of pop-ups (even though the pop-up sites are on my restricted sites list in internet explorer).  If you have any further advice please help, and here is an updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:19:37 AM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aam: C:\Program Files\Internet Explorer\PLUGINS\np32asw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://docs.us.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/plugin/axversion/1000/printQuick.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/idenupdate/iUpdateAutoLaunch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://cs3.hhlaw.com/vdesk/terminal/urTermProxy.cab#version=5400,0,50131,1
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://cs3.hhlaw.com/vdesk/terminal/urxhost.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/36/install/gtdownde.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again for all of your help...

Bod99

561 Posts

September 6th, 2006 20:00

Hi Mike,

It's OK about the delay, hope you had a good trip!

Thanks for the new Hijack This log. The log is clean and doesn't show any signs of infection, so we'll try an on-line AV scan next.

Step 1
Do an online scan with Kaspersky WebScanner at http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click " Yes".
The program will launch and then begin downloading the latest definition files.

Once the files have been downloaded click on " NEXT"
Now click on " Scan Settings"
In the scan settings, make sure that the following are selected:
" Scan using the following Anti-Virus database:"
Extended (if available otherwise Standard)

" Scan Options:"
Scan Archives
Scan Mail Bases

Click " OK"

Now under " select a target to scan:" Select " My Computer"

This will program will start and scan your system. The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on " Save as Text" and save the file to your desktop.

Post the KAV scan log in your next reply.

Step 2
I've noted that you've carried out an Ewido scan before you posted here, but I'd like to see a log from an Ewido scan just to see if there's anything still detected. I presume it's Ewido 4.0 that you have, if not, update to this version.

Run Ewido and allow it to automatically update, a toolbar message balloon will confirm that update is complete. If this doesn't happen, click Update > Start Update.

Click Scanner > Complete System Scan.

At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the " Action" entry if necessary.

Click " Apply all actions"

When the actions have been completed, click Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.

Reboot as normal.

Step 3
Run Hijack This, click Config.. > Misc Tools > Open Uninstall Manager > Save list.. and save the file to your desktop.

Post me the contents of the uninstall list together with both the KAV and Ewido logs

Thanks,

Bod

mkorwek

7 Posts

September 8th, 2006 03:00

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
 + Created at: 11:23:31 PM 9/7/2006
 + Scan result: 
 
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@2o7[3].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@polo.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@admarketplace[2].txt -> TrackingCookie.Admarketplace : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@e-2dj6wflyejd5mko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@e-2dj6wgk4endjeko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@as-us.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@as1.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@linksynergy[1].txt -> TrackingCookie.Linksynergy : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@data3.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@b.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@trafficmp[3].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Mike Korwek\Cookies\mike korwek@zedo[1].txt -> TrackingCookie.Zedo : No action taken.

::Report end
 
 
 
-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Thursday, September 07, 2006 12:03:48 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update:  7/09/2006
 Kaspersky Anti-Virus database records: 221426
-------------------------------------------------------------------------------
Scan Settings:
 Scan using the following antivirus database: extended
 Scan Archives: true
 Scan Mail Bases: true
Scan Target - My Computer:
 A:\
 C:\
 D:\
Scan Statistics:
 Total number of scanned objects: 62067
 Number of viruses found: 6
 Number of infected objects: 39 / 0
 Number of suspicious objects: 0
 Duration of the scan process: 01:47:33
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-08162006-034611.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-09-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumb.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Application Data\Aim\ttkuhqff\mkorwekmd\cert8.db Object is locked skipped
C:\Documents and Settings\Mike Korwek\Application Data\Aim\ttkuhqff\mkorwekmd\key3.db Object is locked skipped
C:\Documents and Settings\Mike Korwek\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{ED26DD99-927E-4E87-92CE-FB6A4518948C} Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\MSHist012006090620060907\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Temp\Acr21.tmp Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\01F25A98.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\02360922.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\077F1292.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CCD2487.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\158819FE.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\19103DAA.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\1AD92600.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\1ECC7953.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\25033D8F.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\29910800.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\29AE01E0.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\2C3946BF.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Program Files\Norton AntiVirus\Quarantine\32C31CBA.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\3ACE0923.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\401317E4.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\45356768.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\453C5D67.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\45705B27.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\482E1E23.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\49287E64.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\4CD85BDE.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\5084454B.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\51E50170.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe Crypt.Quarantine: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\60556E6A.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\62B56FCE.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\62B56FCE.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\62B56FCE.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\62B56FCE.exe Crypt.Quarantine: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\62F009C1.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\718F0ADF.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\73B422B3.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F47505C.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F7A6FFE.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F964006.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Prevx1\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx1\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx1\paws.cache Object is locked skipped
C:\Program Files\Prevx1\prevx.cache Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hgdef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
 
I did as you said for the HJT Uninstall Manager, but I had a strange problem.  After the list generated I clicked on the "Save list" button, and the entire HiJackThis program closes/disappears.  Strange huh?!?!?

Bod99

561 Posts

September 8th, 2006 18:00

Hi Mike,

Thanks for the logs.

The Ewido log only had tracking cookies detected, as you will have seen, personally I'd have removed them, but it's up to you as there's nothing to worry about there.

Most of the infections detected in the KAV scan were in the Norton AV quarantine, these can't do any harm there unless you try to restore them! I suggest that you empty this quarantine store.

There was one other infection detected by KAV, so we'll deal with that next.

Step 1
Download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.

When VundoFix opens, click " Scan for Vundo".

When the scan is complete, click " Remove Vundo".

You will receive a prompt, " Do you want to remove the files?", click " YES"

Your desktop will then go blank as the program starts removing Vundo.

When completed, you will get a prompt that your computer will be shutdown, click " OK".

Re-start your computer.

A log file is generated, C:\vundofix.txt, I will need a copy of this log as part of your next post.

Step 2
Do another online scan with Kaspersky WebScanner at http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click " Yes".
The program will launch and then begin downloading the latest definition files.

Once the files have been downloaded click on " NEXT"
Now click on " Scan Settings"
In the scan settings, make sure that the following are selected:
" Scan using the following Anti-Virus database:"
Extended (if available otherwise Standard)

" Scan Options:"
Scan Archives
Scan Mail Bases

Click " OK"

Now under " select a target to scan:" Select " My Computer"

This will program will start and scan your system. The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on " Save as Text" and save the file to your desktop.

Post the KAV scan log in your next reply.

Step 3
Run Hijack This, " Scan" and post the log, together with the VundoFix and KAV logs, as a reply to this thread.

Some infections do sometimes have strange effects on security programs, and it may be what happened when you generating the uninstall list. We'll try the uninstall list again when we're sure that the Vundo infection has gone.

Thanks,

Bod

mkorwek

7 Posts

September 10th, 2006 19:00

Alright Bod, here's what I've got.  My computer seems to be running good again; I have yet to see any pop-ups and my computer's performance and loading time seem like they are back to normal.  In addition, Explorer has yet to crash/restart on me.  The first time I followed your instructions, VundoFix wasn't able to get all the files off, but a second try (as you'll see in the log) seemed to work.  However, my second Kaspersky scan still shows some bad files on my computer.  Let me know what you think.


VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.7

Scan started at 3:38:27 PM 9/8/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\hgdef.dll
C:\WINDOWS\SYSTEM32\fedgh.ini
C:\WINDOWS\SYSTEM32\fedgh.bak1
C:\WINDOWS\SYSTEM32\fedgh.bak2
C:\WINDOWS\SYSTEM32\fedgh.ini2
C:\WINDOWS\SYSTEM32\fedgh.tmp

Beginning removal...

 Attempting to delete C:\WINDOWS\SYSTEM32\hgdef.dll
C:\WINDOWS\SYSTEM32\hgdef.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.ini
C:\WINDOWS\SYSTEM32\fedgh.ini Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.bak1
C:\WINDOWS\SYSTEM32\fedgh.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.bak2
C:\WINDOWS\SYSTEM32\fedgh.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.ini2
C:\WINDOWS\SYSTEM32\fedgh.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.tmp
C:\WINDOWS\SYSTEM32\fedgh.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Friday, September 08, 2006 6:43:10 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update:  8/09/2006
 Kaspersky Anti-Virus database records: 221913
-------------------------------------------------------------------------------

Scan Settings:
 Scan using the following antivirus database: extended
 Scan Archives: true
 Scan Mail Bases: true

Scan Target - My Computer:
 A:\
 C:\
 D:\

Scan Statistics:
 Total number of scanned objects: 62817
 Number of viruses found: 5
 Number of infected objects: 12 / 0
 Number of suspicious objects: 0
 Duration of the scan process: 01:36:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-08162006-034611.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-09-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C1A76318-9361-48AF-836F-D380478C5A95} Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\MSHist012006090820060909\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\45356768.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\45705B27.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe Crypt.Quarantine: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\60556E6A.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F47505C.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F7A6FFE.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F964006.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\VundoFix Backups\hgdef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hgdef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

2ND RUN:


VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.7

Scan started at 1:13:12 AM 9/10/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\hgdef.dll
C:\WINDOWS\SYSTEM32\fedgh.ini
C:\WINDOWS\SYSTEM32\fedgh.bak1
C:\WINDOWS\SYSTEM32\fedgh.bak2

Beginning removal...

 Attempting to delete C:\WINDOWS\SYSTEM32\hgdef.dll
C:\WINDOWS\SYSTEM32\hgdef.dll Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.ini
C:\WINDOWS\SYSTEM32\fedgh.ini Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.bak1
C:\WINDOWS\SYSTEM32\fedgh.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\SYSTEM32\fedgh.bak2
C:\WINDOWS\SYSTEM32\fedgh.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, September 10, 2006 4:08:24 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 10/09/2006
 Kaspersky Anti-Virus database records: 222272
-------------------------------------------------------------------------------

Scan Settings:
 Scan using the following antivirus database: extended
 Scan Archives: true
 Scan Mail Bases: true

Scan Target - My Computer:
 A:\
 C:\
 D:\

Scan Statistics:
 Total number of scanned objects: 62936
 Number of viruses found: 5
 Number of infected objects: 11 / 0
 Number of suspicious objects: 0
 Duration of the scan process: 01:29:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-08162006-034611.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-09-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{24C6B97C-3783-4D61-BBC2-2C4A8A26716E} Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\History\History.IE5\MSHist012006091020060911\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Korwek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Korwek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Korwek\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\45356768.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\45705B27.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\58870F01.exe Crypt.Quarantine: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\60556E6A.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F47505C.tmp Infected: Trojan-Downloader.Win32.Zlob.dx skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F7A6FFE.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F964006.tmp Infected: Trojan-Downloader.Win32.Zlob.dv skipped
C:\VundoFix Backups\hgdef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

mkorwek

7 Posts

September 10th, 2006 19:00

Uninstall List now works as well:

3Com NIC Diagnostics
AC97 SoftV92 Data Fax Modem
AccessDirect
Actiontec MD56ORD V92 MDC Modem
Adobe Acrobat 5.0
Adobe Photoshop 7.0
ALPS Touch Pad Driver
AOL Instant Messenger
Citrix ICA Web Client
CopyPod (remove only)
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
Dell | Support
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Easy CD Creator 5 Basic
ewido anti-spyware 4.0
Google Earth
HijackThis 1.99.1
HP Deskjet 6500
HP Software Update
HyperLoad
ImageMixer for Sony
InterVideo WinDVD
iPod for Windows 2006-03-23
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_04
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LimeWire
LimeWire 4.9.29
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Data Access Components KB870669
Microsoft Office XP Media Content
Microsoft Office XP Professional
Modem Helper
MSN Music Assistant
Norton AntiVirus 2002
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
P2P Networking
PokerStars
ProntoEdit 4
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
Sony USB Driver
Spybot - Search & Destroy 1.4
TrueMobile 1150 Client Manager
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
USB Card Reader
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Webshots Desktop
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip

Bod99

561 Posts

September 10th, 2006 21:00

Hi Mike,

OK, well done with running Vundofix twice!

The remaining infections listed in the second KAV scan are all in either the Norton AntiVirus Quarantine folder or the Vundofix backup. They aren't going to cause any problems there, but I recommend that you run Norton anyway and empty the quarantine folder. The Vundofix folder can also be deleted.

So, you've now had a Hijack This scan, an Ewido scan and a KAV scan, all of which show no items of concern, and you report that the pc is running as normal.

I think we can say that your pc is now clean, these are my suggestions to help keep it that way.

Step 1 - Java Update - This is essential, earlier versions of Java can be exploited
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install Java Runtime Environment (JRE) 5.0 Update 8.
Click the link " Download JRE 5.0 Update 8". You will then need to select " Accept License Agreement" and click " Continue". Then click the link " Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click " jre-1_5_0_08-windows-i586-p.exe" to start the install.

Once you have it installed, Click Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for " J2SE Runtime Environment 5.0 Update 3, 4, 6, 7, and also Java 2 Runtime Environment Standard Edition v1.3.1_04".

Step 2
Still in Add/Remove Programs.
Click on "Remove" for all of the following programs that appear in the list if they are programs you didn't knowingly install.
HyperLoad
PokerStars
In the case of Hyperload, I recommend that this is removed even if you did knowingly install it!
Do not reboot until you have attempted to remove all of these entries that you find.

Step 3 - Microsoft Windows Update
Click Start > All Programs > Windows Update. This will take you to the Windows Update site. Follow the instructions to download and install all of the latest critical updates. Repeat this as many times as necessary, until there are no more updates available. Reboot whenever instructed.
Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.

Step 4 - Hide System Files
Click Start > My Computer > Tools > Folder Options > View Tab. Un-check " Show hidden files and folders" in the Hidden files and folders section, and Select " Hide protected operating system files (recommended)" option. Click Yes > OK.

Step 5 Create a clean system restore point
Click Start > Control Panel > System > System Restore Tab and click to put a tick in the " Turn off System Restore" check box, then click " Apply".

Reboot, then click Start > Control Panel > System > System Restore Tab and click to remove the tick in the " Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.

Step 6 - Make your Internet Explorer more secure
Open Internet Explorer click Tools > Options > Security tab >Internet icon to highlight >Custom Level, then select the following options:-
Change " Download signed ActiveX controls" to " Prompt"
Change " Download unsigned ActiveX controls" to " Disable"
Change " Initialise and script ActiveX controls not marked as safe" to " Disable"
Change " Installation of desktop items" to " Prompt"
Change " Launching programs and files in an IFRAME" to " Prompt"
Change " Navigate sub-frames across different domains" to " Prompt"
Click " OK", then Apply
Click on the " Privacy" tab and move the slider up to " Medium High", then Apply > OK to exit the Internet Properties page.

Step 7 - Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.

You have Norton, so make sure it is updated at least weekly, preferably daily. If your anti-virus is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use.
Grisoft AVG http://free.grisoft.com/doc/1
Avast http://www.avast.com/

For more information on anti-virus programs see http://forum.malwareremoval.com/viewtopic.php?p=53#53

Step 8 - Firewall
You have Norton, so make sure it is kept up to date. If your firewall is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use.
ZoneAlarm http://www.zonelabs.com/store/content/home.jsp
Kerio http://www.sunbelt-software.com/Kerio.cfm

For more information on firewalls see http://forum.malwareremoval.com/viewtopic.php?p=56#56

Step 9 - Windows Defender
Keep Defender up to date and make sure it scans the pc regularly.

Step 10 - Spybot Search & Destroy
Install Spybot Search & Destroy from http://www.safer-networking.org/en/download/index.html
Enable the TeaTimer and SD Helper options during the installation process. Update this and scan your PC on a weekly basis.

Step 11 - SpywareBlaster
Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html. When installed, run SpywareBlaster, click "Enable All Protection", then "Download Latest Protection Updates" and follow the instructions to download and enable the latest update.
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Hopefully these will help keep your computer clean, glad I could be of assistance,

Bod

mkorwek

7 Posts

September 11th, 2006 02:00

Bod - I can't thank you enough for all of your help.  You have no idea how much time and aggrevation you saved me by not having to format my hard drive and start all over.  I'm glad we we able to reach a successful end to this problem and I am happy to say my PC is running like it was before this Vundo mess.  I have already followed half or more of your future suggestions to help keep my computer the way it is now, and hopefully I will never have to deal with a problem like this ever again.  Again, thanks a million for your assistance!
 
Mike

Bod99

561 Posts

September 11th, 2006 18:00

Hi Mike,

Thanks for your comments, I'm glad I was able to help you.

Bod

Was this post helpful?

View All

0 events found

No Events found!

Top