Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

kangaroobug

11 Posts

1387

December 19th, 2006 00:00

Java Bug-Amaena Security Worm

Hi,
I've got a Java bug on my computer.  Can you help me get rid of it?
Thanks so much.  Here's the HijackThis log.
 
Logfile of HijackThis v1.99.1
Scan saved at 12:59:35 AM, on 12/18/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\winamp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Documents and Settings\Mom and Dad\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/avie5/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jump.altavista.com/avie5/homebutton
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AltaVista
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://jump.altavista.com/avie5/homebutton
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166420644563
O17 - HKLM\System\CCS\Services\Tcpip\..\{3600FB7A-CA1F-4324-888C-C28182629671}: NameServer = 206.74.254.2 204.116.57.2
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
 

1972vet

3.3K Posts

December 19th, 2006 01:00

You have a vundo infection that is hiding from your HijackThis application. To remedy this, rename HijackThis.exe to "Analyze.exe"...re-run a scan and save the log. Post that log back here in this thread. Thanks!

kangaroobug

11 Posts

December 19th, 2006 01:00

Hi,
I renamed the executable and reran.  Here are the results.
Thank you!
 
Logfile of HijackThis v1.99.1
Scan saved at 10:45:04 PM, on 12/18/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\winamp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\internet explorer\iexplore.exe
C:\DOCUME~1\MOMAND~1\LOCALS~1\Temp\1166505195oyGWa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mom and Dad\Desktop\Analyze.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/avie5/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jump.altavista.com/avie5/homebutton
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AltaVista
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {087FC023-DC5B-41E6-9286-953D382070C1} - C:\WINDOWS\System32\fcccyaw.dll
O2 - BHO: (no name) - {2CF6CEE0-EE6E-46AC-8DBB-A0E5A02BD120} - C:\WINDOWS\System32\oppon.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\System32\lvfvutkv.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://jump.altavista.com/avie5/homebutton
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166420644563
O17 - HKLM\System\CCS\Services\Tcpip\..\{3600FB7A-CA1F-4324-888C-C28182629671}: NameServer = 206.74.254.2 204.116.57.2
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: fcccyaw - C:\WINDOWS\SYSTEM32\fcccyaw.dll
O20 - Winlogon Notify: oppon - C:\WINDOWS\System32\oppon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
 

1972vet

3.3K Posts

December 19th, 2006 03:00

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click "Look2Me-Destroyer.exe" to run it.
  • Put a check next to "Run this program as a task."
  • You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the "Remove L2M" button.
  • You will receive a "Done Scanning" message, click "OK".
  • When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please remember to post the contents of C:\Look2Me-Destroyer.txt in your next reply. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop that's where the log will be.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the Internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Then you click the Remove L2M button and wait for it to give you a message. When you click OK it should shut itself down.

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files,
click YES
* Once you click yes, your desktop will go blank as it starts removing
Vundo.
* When completed, it will prompt that it will shutdown your computer,
click OK.
* Turn your computer back on.
* Please remember to post the contents of C:\vundofix.txt in your next reply.


Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download AVG Anti-Spyware v7.5
( This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
  • Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
  • Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.

Once the updates are installed do the following:
Click on the " Scanner" button and choose the " Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Close AVG Anti-spyware Do Not scan yet.


Please boot into Safe mode:
Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in safe mode, continue with the instructions below:

  • Launch AVG anti-spyware by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take some time.
  • Once the scan is complete do the following:
  • When prompted of an infection, please select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
Now close AVG Anti-spyware. Reboot back to your normal user mode.

Please post the C:\ Look2Me-Destroyer.txt, the C:\vundofix.txt, the scan log from AVG Anti-Spyware, and a fresh HijackThis log.
How is the computer running now?

kangaroobug

11 Posts

January 5th, 2007 15:00

Hi,
Sorry that it took so long to run the processes.  A bad holiday flu got in the way.  Anyway, I ran all the programs that you requested.  The computer is still running very slow, possibly even slower now, and the pop-ups are still infesting my screen.  Even though the settings were for a report with the AVG Anti-Spyware, a report was not generated.  Could have been user error.  Here are the other reports as requested.
 
Thank you,
 

Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 1/4/2007 7:14:07 PM

Attempting to delete infected files...
Making registry repairs.

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"
HKCR\Clsid\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BD472F60-27FA-11cf-B8B4-444553540000}"
HKCR\Clsid\{BD472F60-27FA-11cf-B8B4-444553540000}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"
HKCR\Clsid\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}"
HKCR\Clsid\{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53C74826-AB99-4d33-ACA4-3117F51D3788}"
HKCR\Clsid\{53C74826-AB99-4d33-ACA4-3117F51D3788}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded
 
 
VundoFix V6.2.13
Checking Java version...
Sun Java not detected
Scan started at 9:24:41 PM 1/4/2007
Listing files found while scanning....
C:\WINDOWS\System32\oppon.dll
C:\WINDOWS\System32\noppo.ini
C:\WINDOWS\System32\noppo.bak1
C:\WINDOWS\System32\noppo.bak2
Beginning removal...
 Attempting to delete C:\WINDOWS\System32\oppon.dll
C:\WINDOWS\System32\oppon.dll Has been deleted!
 Attempting to delete C:\WINDOWS\System32\noppo.ini
C:\WINDOWS\System32\noppo.ini Has been deleted!
 Attempting to delete C:\WINDOWS\System32\noppo.bak1
C:\WINDOWS\System32\noppo.bak1 Has been deleted!
 Attempting to delete C:\WINDOWS\System32\noppo.bak2
C:\WINDOWS\System32\noppo.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
 
Logfile of HijackThis v1.99.1
Scan saved at 12:24:56 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Mom and Dad\Desktop\Analyze.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/avie5/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jump.altavista.com/avie5/homebutton
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AltaVista
O2 - BHO: (no name) - {087FC023-DC5B-41E6-9286-953D382070C1} - C:\WINDOWS\system32\fcccyaw.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {6B86F301-DBA3-464F-B23F-68A97698B14D} - C:\WINDOWS\System32\oppon.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\tsqbjkie.dll
O2 - BHO: (no name) - {7E0EAA4B-5E5E-45DE-AD34-1C03B2428AEA} - C:\WINDOWS\System32\vtuvt.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\jinwahnj.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://jump.altavista.com/avie5/homebutton
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166420644563
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168010862030
O17 - HKLM\System\CCS\Services\Tcpip\..\{3600FB7A-CA1F-4324-888C-C28182629671}: NameServer = 206.74.254.2 204.116.57.2
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: fcccyaw - C:\WINDOWS\SYSTEM32\fcccyaw.dll
O20 - Winlogon Notify: vtuvt - C:\WINDOWS\System32\vtuvt.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
 

1972vet

3.3K Posts

January 5th, 2007 17:00

Please download VirtumundoBeGone.exe:
1. Save the file to your Desktop.
2. Close ALL running programs including your Internet Browser.
3. Double-click VirtumundoBeGone.exe to launch.
4. Read the introductory information, and then click " Continue".
5. Click " Start".
6. When asked if you want to continue, click " Yes" to run the fix. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
7. When finished it will create a log named VBG.TXT on your desktop.
8. Reboot your PC.

Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.



You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


I am going to give you two sets of instructions...both relating to the Smitfraud infection that you have. The first set of instructions will cause the application to find the bad files. The second set will allow the application to delete the bad files it found.

With each set there is a log generated. It is important that you remember to post both logs in your next reply. You must perform these steps exactly as presented and cannot skip a step. The application will delete nothing unless you first allow it to find the bad files...which is why you must follow these instructions exactly as presented:

Set #1

Please download:
SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press" Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

Note :
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Set#2
Next, reboot the computer into Safemode.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press" Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into your Normal Windows user mode.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please remember to post BOTH logs generated from these scans on your next reply along with a fresh HijackThis log and the VBG.TXT log. Thanks!

kangaroobug

11 Posts

January 5th, 2007 21:00

SmitFix Cleaning Log
SmitFraudFix v2.132
Scan done at 18:21:55.80, Fri 01/05/2007
Run from C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\migicons.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
 
 
New HiJack Log
Logfile of HijackThis v1.99.1
Scan saved at 6:35:26 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Mom and Dad\Desktop\Analyze.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AltaVista
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {6B86F301-DBA3-464F-B23F-68A97698B14D} - C:\WINDOWS\System32\oppon.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\tsqbjkie.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\jinwahnj.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://jump.altavista.com/avie5/homebutton
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166420644563
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168010862030
O17 - HKLM\System\CCS\Services\Tcpip\..\{3600FB7A-CA1F-4324-888C-C28182629671}: NameServer = 206.74.254.2 204.116.57.2
O20 - AppInit_DLLs: 
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
 

kangaroobug

11 Posts

January 5th, 2007 21:00

Hi,
The computer seems to be moving faster, and without any pop-ups, so far anyway.  Here are the logs from the processes.
 
VBG  (had to stop the computer and restart; it found something)

[01/05/2007, 17:56:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom and Dad\Desktop\VirtumundoBeGone.exe" )
[01/05/2007, 17:57:01] - Detected System Information:
[01/05/2007, 17:57:01] -  Windows Version: 5.1.2600, Service Pack 2
[01/05/2007, 17:57:01] -  Current Username: Mom and Dad (Admin)
[01/05/2007, 17:57:01] -  Windows is in NORMAL mode.
[01/05/2007, 17:57:02] - Searching for Browser Helper Objects:
[01/05/2007, 17:57:02] -  BHO 1: {087FC023-DC5B-41E6-9286-953D382070C1} ()
[01/05/2007, 17:57:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:02] -  Checking for HKLM\...\Winlogon\Notify\fcccyaw
[01/05/2007, 17:57:02] -  Found: HKLM\...\Winlogon\Notify\fcccyaw - This is probably Virtumundo.
[01/05/2007, 17:57:02] -  Assigning {087FC023-DC5B-41E6-9286-953D382070C1} MSEvents Object
[01/05/2007, 17:57:02] - BHO list has been changed! Starting over...
[01/05/2007, 17:57:02] -  BHO 1: {087FC023-DC5B-41E6-9286-953D382070C1} (MSEvents Object)
[01/05/2007, 17:57:02] - ALERT: Found MSEvents Object!
[01/05/2007, 17:57:02] -  BHO 2: {3627D845-AED4-4953-9801-64E2E4CB522F} ()
[01/05/2007, 17:57:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:02] -  Checking for HKLM\...\Winlogon\Notify\vtuvt
[01/05/2007, 17:57:02] -  Found: HKLM\...\Winlogon\Notify\vtuvt - This is probably Virtumundo.
[01/05/2007, 17:57:02] -  Assigning {3627D845-AED4-4953-9801-64E2E4CB522F} MSEvents Object
[01/05/2007, 17:57:02] - BHO list has been changed! Starting over...
[01/05/2007, 17:57:02] -  BHO 1: {087FC023-DC5B-41E6-9286-953D382070C1} (MSEvents Object)
[01/05/2007, 17:57:02] - ALERT: Found MSEvents Object!
[01/05/2007, 17:57:02] -  BHO 2: {3627D845-AED4-4953-9801-64E2E4CB522F} (MSEvents Object)
[01/05/2007, 17:57:02] - ALERT: Found MSEvents Object!
[01/05/2007, 17:57:02] -  BHO 3: {46A4E9D9-B30E-452A-8157-DBBEC8573B03} ()
[01/05/2007, 17:57:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:02] -  Checking for HKLM\...\Winlogon\Notify\VSAdd-in
[01/05/2007, 17:57:02] -  Key not found: HKLM\...\Winlogon\Notify\VSAdd-in, continuing.
[01/05/2007, 17:57:02] -  BHO 4: {6B86F301-DBA3-464F-B23F-68A97698B14D} ()
[01/05/2007, 17:57:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:02] -  Checking for HKLM\...\Winlogon\Notify\oppon
[01/05/2007, 17:57:02] -  Key not found: HKLM\...\Winlogon\Notify\oppon, continuing.
[01/05/2007, 17:57:02] -  BHO 5: {7DA39570-5FD2-4f18-94B4-20730CB3F727} ()
[01/05/2007, 17:57:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:03] -  Checking for HKLM\...\Winlogon\Notify\tsqbjkie
[01/05/2007, 17:57:03] -  Key not found: HKLM\...\Winlogon\Notify\tsqbjkie, continuing.
[01/05/2007, 17:57:03] -  BHO 6: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/05/2007, 17:57:03] -  BHO 7: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/05/2007, 17:57:03] - Finished Searching Browser Helper Objects
[01/05/2007, 17:57:03] - *** Detected MSEvents Object
[01/05/2007, 17:57:03] - Trying to remove MSEvents Object...
[01/05/2007, 17:57:04] -    Terminating Process: IEXPLORE.EXE
[01/05/2007, 17:57:04] -    Terminating Process: RUNDLL32.EXE
[01/05/2007, 17:57:05] -    Disabling Automatic Shell Restart
[01/05/2007, 17:57:05] -    Terminating Process: EXPLORER.EXE
[01/05/2007, 17:57:06] -    Suspending the NT Session Manager System Service
[01/05/2007, 17:57:06] -    Terminating Windows NT Logon/Logoff Manager
[01/05/2007, 17:57:07] -    Re-enabling Automatic Shell Restart
[01/05/2007, 17:57:07] -   File to disable: C:\WINDOWS\system32\fcccyaw.dll
[01/05/2007, 17:57:07] -  Renaming C:\WINDOWS\system32\fcccyaw.dll -> C:\WINDOWS\system32\fcccyaw.dll.vir
[01/05/2007, 17:57:07] -  File successfully renamed!
[01/05/2007, 17:57:07] -   Removing HKLM\...\Browser Helper Objects\{087FC023-DC5B-41E6-9286-953D382070C1}
[01/05/2007, 17:57:07] -   Removing HKCR\CLSID\{087FC023-DC5B-41E6-9286-953D382070C1}
[01/05/2007, 17:57:07] -   Adding Kill Bit for ActiveX for GUID: {087FC023-DC5B-41E6-9286-953D382070C1}
[01/05/2007, 17:57:08] -   Deleting ATLEvents/MSEvents Registry entries
[01/05/2007, 17:57:08] -   Removing HKLM\...\Winlogon\Notify\fcccyaw
[01/05/2007, 17:57:08] - Searching for Browser Helper Objects:
[01/05/2007, 17:57:08] -  BHO 1: {3627D845-AED4-4953-9801-64E2E4CB522F} (MSEvents Object)
[01/05/2007, 17:57:08] - ALERT: Found MSEvents Object!
[01/05/2007, 17:57:08] -  BHO 2: {46A4E9D9-B30E-452A-8157-DBBEC8573B03} ()
[01/05/2007, 17:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:08] -  Checking for HKLM\...\Winlogon\Notify\VSAdd-in
[01/05/2007, 17:57:08] -  Key not found: HKLM\...\Winlogon\Notify\VSAdd-in, continuing.
[01/05/2007, 17:57:08] -  BHO 3: {6B86F301-DBA3-464F-B23F-68A97698B14D} ()
[01/05/2007, 17:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:08] -  Checking for HKLM\...\Winlogon\Notify\oppon
[01/05/2007, 17:57:08] -  Key not found: HKLM\...\Winlogon\Notify\oppon, continuing.
[01/05/2007, 17:57:08] -  BHO 4: {7DA39570-5FD2-4f18-94B4-20730CB3F727} ()
[01/05/2007, 17:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:08] -  Checking for HKLM\...\Winlogon\Notify\tsqbjkie
[01/05/2007, 17:57:08] -  Key not found: HKLM\...\Winlogon\Notify\tsqbjkie, continuing.
[01/05/2007, 17:57:08] -  BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/05/2007, 17:57:08] -  BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/05/2007, 17:57:08] - Finished Searching Browser Helper Objects
[01/05/2007, 17:57:08] - *** Detected MSEvents Object
[01/05/2007, 17:57:08] - Trying to remove MSEvents Object...
[01/05/2007, 17:57:09] -    Terminating Process: IEXPLORE.EXE
[01/05/2007, 17:57:09] -    Terminating Process: RUNDLL32.EXE
[01/05/2007, 17:57:09] -    Disabling Automatic Shell Restart
[01/05/2007, 17:57:09] -    Terminating Process: EXPLORER.EXE
[01/05/2007, 17:57:09] -    Suspending the NT Session Manager System Service
[01/05/2007, 17:57:09] -    Terminating Windows NT Logon/Logoff Manager
[01/05/2007, 17:57:10] -    Re-enabling Automatic Shell Restart
[01/05/2007, 17:57:10] -   File to disable: C:\WINDOWS\System32\vtuvt.dll
[01/05/2007, 17:57:10] -  Renaming C:\WINDOWS\System32\vtuvt.dll -> C:\WINDOWS\System32\vtuvt.dll.vir
[01/05/2007, 17:57:10] -  File successfully renamed!
[01/05/2007, 17:57:10] -   Removing HKLM\...\Browser Helper Objects\{3627D845-AED4-4953-9801-64E2E4CB522F}
[01/05/2007, 17:57:10] -   Removing HKCR\CLSID\{3627D845-AED4-4953-9801-64E2E4CB522F}
[01/05/2007, 17:57:10] -   Adding Kill Bit for ActiveX for GUID: {3627D845-AED4-4953-9801-64E2E4CB522F}
[01/05/2007, 17:57:10] -   Deleting ATLEvents/MSEvents Registry entries
[01/05/2007, 17:57:10] -   Removing HKLM\...\Winlogon\Notify\vtuvt
[01/05/2007, 17:57:10] - Searching for Browser Helper Objects:
[01/05/2007, 17:57:10] -  BHO 1: {46A4E9D9-B30E-452A-8157-DBBEC8573B03} ()
[01/05/2007, 17:57:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:10] -  Checking for HKLM\...\Winlogon\Notify\VSAdd-in
[01/05/2007, 17:57:10] -  Key not found: HKLM\...\Winlogon\Notify\VSAdd-in, continuing.
[01/05/2007, 17:57:10] -  BHO 2: {6B86F301-DBA3-464F-B23F-68A97698B14D} ()
[01/05/2007, 17:57:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:10] -  Checking for HKLM\...\Winlogon\Notify\oppon
[01/05/2007, 17:57:10] -  Key not found: HKLM\...\Winlogon\Notify\oppon, continuing.
[01/05/2007, 17:57:10] -  BHO 3: {7DA39570-5FD2-4f18-94B4-20730CB3F727} ()
[01/05/2007, 17:57:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:57:10] -  Checking for HKLM\...\Winlogon\Notify\tsqbjkie
[01/05/2007, 17:57:10] -  Key not found: HKLM\...\Winlogon\Notify\tsqbjkie, continuing.
[01/05/2007, 17:57:10] -  BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/05/2007, 17:57:10] -  BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/05/2007, 17:57:10] - Finished Searching Browser Helper Objects
[01/05/2007, 17:57:10] - Finishing up...
[01/05/2007, 17:57:10] - A restart is needed.
[01/05/2007, 17:57:16] - Attempting to Restart via STOP error (Blue Screen!)
[01/05/2007, 17:59:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom and Dad\Desktop\VirtumundoBeGone.exe" )
[01/05/2007, 17:59:51] - Detected System Information:
[01/05/2007, 17:59:51] -  Windows Version: 5.1.2600, Service Pack 2
[01/05/2007, 17:59:51] -  Current Username: Mom and Dad (Admin)
[01/05/2007, 17:59:51] -  Windows is in NORMAL mode.
[01/05/2007, 17:59:51] - Searching for Browser Helper Objects:
[01/05/2007, 17:59:52] -  BHO 1: {46A4E9D9-B30E-452A-8157-DBBEC8573B03} ()
[01/05/2007, 17:59:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:59:53] -  Checking for HKLM\...\Winlogon\Notify\VSAdd-in
[01/05/2007, 17:59:53] -  Key not found: HKLM\...\Winlogon\Notify\VSAdd-in, continuing.
[01/05/2007, 17:59:54] -  BHO 2: {6B86F301-DBA3-464F-B23F-68A97698B14D} ()
[01/05/2007, 17:59:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:59:54] -  Checking for HKLM\...\Winlogon\Notify\oppon
[01/05/2007, 17:59:54] -  Key not found: HKLM\...\Winlogon\Notify\oppon, continuing.
[01/05/2007, 17:59:54] -  BHO 3: {7DA39570-5FD2-4f18-94B4-20730CB3F727} ()
[01/05/2007, 17:59:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2007, 17:59:54] -  Checking for HKLM\...\Winlogon\Notify\tsqbjkie
[01/05/2007, 17:59:55] -  Key not found: HKLM\...\Winlogon\Notify\tsqbjkie, continuing.
[01/05/2007, 17:59:55] -  BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/05/2007, 17:59:55] -  BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/05/2007, 17:59:55] - Finished Searching Browser Helper Objects
[01/05/2007, 17:59:55] - Finishing up...
[01/05/2007, 17:59:55] - Nothing found! Exiting...
SmitFraudFix v2.132
Scan done at 18:10:40.42, Fri 01/05/2007
Run from C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\migicons.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MOMAND~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 
Remaining logs in next posting (character limitation)

1972vet

3.3K Posts

January 6th, 2007 02:00

You still have a virtumonde vundo variant that's infecting your system. I've seen these stubborn variants only rarely because the utility is updated regularly...this one obviously hasn't made it's way to the data base yet. Rather than uploading the file for analysis (since we know what it is) then having to wait for the updated utility, we can just remove it the old fashioned way...it's a bit more involved but I think you'll do fine.

Let's do this:

  2. Print out these instructions as we will need to shutdown every open window later in the fix.
  3. Please download Process Explorer by Systernals and extract it to your desktop. Do not run this now as we will use it later.
  4. Download KillBox and extract it to your desktop. Do not run this now as we will
  5. use it later.
  6. Click Here to download FixVundo.reg to your Desktop. Do not run this now as we will use it later. Do not run this now as we will use it later.

  7. Reboot your computer into Safe Mode. You do that when you restart your computer by tapping on the F8 key repeatedly as soon as you see the first black screen. Continue tapping on the F8 key until you see the advance log on menu. When the menu appears, select "safe Mode" (Note-if tapping on the F8 key does not bring up the advance log on menu then try the reboot again only this time begin tapping on the F5 key and follow the instructions as outlined above.)
  8. Double-click on procexp.exe which is the Process Explorer that
  9. we downloaded earlier.
  10. In the top section of the Process Explorer screen double-click on
  11. winlogon.exe to bring up the winlogon.exe properties screen.Click on the Threads tab at the top.
  12. Once you see this screen click on each instance of tsqbjkie.dll found and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well. (it would look like this: eikjbqst.dll)
  13. After you have killed all of the instances of the DLL under winlogon click on the OK button.
  14. Now double-click on explorer.exe, select the Threads tab, and again click once on each instance of tsqbjkie.dll. Once they are highlighted click on the Kill button like you did in step 8. If you have disabled the BHO (O2) in some manner, you will not find this dll listed in this step and can move on.
  15. When this is done, click on the OK button again.
  16. Now run HijackThis again, close all windows, and press the Scan button.
  17. Place a check next to each of the following entries:
  18. O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)O2 - BHO: (no name) - {6B86F301-DBA3-464F-B23F-68A97698B14D} - C:\WINDOWS\System32\oppon.dll (file missing)
    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\tsqbjkie.dll
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O4 - HKLM\..\Run: C:\WINDOWS\System32\winamp.exe
    O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\System32\jinwahnj.dll",setvm
    O20 - AppInit_DLLs:

  19. Once all the entries are checked,(make sure all other windows are closed) press the Fix button and then exit HijackThis.
  20. Now double-click on the FixVundo.reg file that you downloaded earlier and allow it to merge the information.
  21. Double-click on Killbox.exe that you downloaded and extracted earlier. Select the delete on reboot option. Then enter the full path to the DLL into the file to delete field by copying and pasting the
  22. following: C:\WINDOWS\System32\tsqbjkie.dll

  23. Click the red circle with the white X and select Yes to the delete prompt and then Yes to reboot now. When your computer comes back up, visit at least two of these web sites and run a full system scan:
  24. F-Secure Online Scanner
    BitDefender
    TrendMicro

    Follow the prompts if the scans find anything and do what it recommends.

    Please open your on board AVG Anti-Spyware application you downloaded earlier.
  25. On the main screen select the icon Update then click the Start Update button.
  26. The update will start and a progress bar will show the updates being installed.
  27. Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  28. Once in the Settings screen click on Recommended actions and then select Quarantine.
  29. Under Reports
  30. Select Automatically generate report after every scan
  31. Un-Select Only if threats were found
  32. Close AVG anti-spyware.

    Please boot into Safe mode:

    Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
    Use the arrow keys to highlight Safe Mode and press the Enter key. Once in safe mode, continue with the instructions below:


    2. Launch AVG anti-spyware by double-clicking the icon on your desktop.
    3. Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
    4. AVG Anti-spyware will now begin the scanning process, be patient this may take some time.
    5. When prompted of an infection, please select Apply all actions
    6. Once the scan is complete do the following:
      • Next select the Reports icon at the top.
      • Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
      Now close AVG anti-spyware.
      Reboot back to your normal mode and post the AVG scan log along with a fresh HijackThis log. Thanks!

Was this post helpful?

View All

0 events found

No Events found!

Top