Hi, jmelvinjr,
Please print these instructions so you can refer to them easily. You will not have this page available when you are working in Safemode.
Next Step:
Download and install AVG Anti-Spyware 7.5 1. After download, double click on the file to launch the install process.
2. Choose a language, click "
OK" and then click "
Next".
3. Read the "
License Agreement" and click "
I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "
Next", then click "
Install".
5. After setup completes, click "
Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "
Status" menu will appear. Select "
Change state" to inactivate '
Resident Shield' and '
Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and
uncheck "
Start with Windows".
8. Go to Start > Run and type:
services.msc
Press "OK".
Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
9. Select the "
Update" button and click "
Start update". Wait until you see the "
Update succesful message. If you are having problems with the updater, manually update with the
AVG Anti-Spyware Full database installer from
here. Exit AVG Anti-Spyware when done -
DO NOT perform a scan yet.
1. Run ComboFix:
Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with all other logs requested..
Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run combofix.
Reboot your computer in "
SAFE MODE" using the
F8 method. To do this, restart your computer and after hearing your computer beep once during startup press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the "
Scanner" button and choose the "
Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "
Scan" tab to return to scanning options. 3. Click "
Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "
Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the
Apply all actions button. If you do, the log that is created will indicate "
No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
5. Click on "
Save Report" to view all completed scans. Click on the most recent scan you just performed and select "
Save report as" - the default file name will be in date/time format as follows:
Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done, reboot normally.
Clean out your
Temporary Internet files. Proceed like this:
Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click Apply then OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
Please reboot.
You have disabled some items via MSCONFIG. Do you recall what they were? Were they files you did not recognize, or legitimate programs that you do not want running at Startup?
Please post your logs from from ComboFix, AVG Anti-Spyware, and a new HijackThis log.
Logfile of HijackThis v1.99.1 Scan saved at 9:58:07 PM, on 5/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
dxdllreg.exe is part of your Operating System, but it does not need to be running at Statrtup, so you can leave that as is.
glxvlygc.dll is definitely suspicious.
Please download the latest version of
VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\
vundofix.txt.)
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will shutdown your computer,
click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot. ** If you get a warning about updating Java, do not do so until I can give you further instructions.
Please go to your HijackThis here:
C:\Program Files\Hijackthis\
HijackThis.exe Rename HijackThis.exe to
analyzer.exe.
Following that, please run a new scan with "analyzer" (actually HijackThis). Post the new log as well as the contents of C:\
vundofix.txt in your next reply. Let me know how things are running. Thanks.
Bugbatter
3 Apprentice
•
20.5K Posts
0
May 17th, 2007 12:00
Please print these instructions so you can refer to them easily. You will not have this page available when you are working in Safemode.
You seem to have more in there than Outerinfo.
Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/combofix.exe
Or
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
** Take note that the links are case sensitive
Save ComboFix to the desktop.
DO NOT RUN IT YET.
Look in your Control Panel's Add/Remove Programs for any of these and uninstall them:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Reboot and download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed
Reboot
Next Step: Download and install AVG Anti-Spyware 7.5
1. After download, double click on the file to launch the install process.
2. Choose a language, click " OK" and then click " Next".
3. Read the " License Agreement" and click " I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click " Next", then click " Install".
5. After setup completes, click " Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main " Status" menu will appear. Select " Change state" to inactivate ' Resident Shield' and ' Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck " Start with Windows".
8. Go to Start > Run and type: services.msc
- Press "OK".
- Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
- When you find the guard service, double-click on it.
- In the Properties Window > General Tab that opens, click the "Stop" button.
- From the drop-down menu next to "Startup Type", click on "Manual".
- Now click "Apply", then "OK" and close the Services window.
9. Select the " Update" button and click " Start update". Wait until you see the " Update succesful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.1. Run ComboFix:
Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with all other logs requested..
Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run combofix.
Reboot your computer in " SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the " Scanner" button and choose the " Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
- Under "How to Scan?" check all (default).
- Under "Possibly unwanted software" check all (default).
- Under "What to Scan?" make sure "Scan every file" is selected (default).
- Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the " Scan" tab to return to scanning options. 3. Click " Complete System Scan" to start.4. When the scan has finished you will be presented with a list of infected objects found. Click " Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate " No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
5. Click on " Save Report" to view all completed scans. Click on the most recent scan you just performed and select " Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done, reboot normally.
Clean out your Temporary Internet files. Proceed like this:
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
Please reboot.
You have disabled some items via MSCONFIG. Do you recall what they were? Were they files you did not recognize, or legitimate programs that you do not want running at Startup?
Please post your logs from from ComboFix, AVG Anti-Spyware, and a new HijackThis log.
jmelvinjr
4 Posts
0
May 24th, 2007 02:00
AVG ANTI-SPYWARE REPORT:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:40:43 PM 5/23/2007
+ Scan result:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011142.dll -> Adware.BHO : Cleaned.
C:\WINDOWS\b122.exe.bin/b122.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011153.lnk -> Adware.Ucmore : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011154.lnk -> Adware.Ucmore : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011166.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011166.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011166.exe/empty_00000001 -> Adware.Ucmore : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\hggfcab.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgggghe.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnlmk.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnoom.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqrrrss.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqrsrom.dll.vir -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011141.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011143.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011146.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011149.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012869.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012870.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012871.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012872.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012873.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012883.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011165.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011152.exe -> Downloader.PurityScan.eg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0012766.exe -> Downloader.PurityScan.eg : Cleaned.
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D21M0303NetInstaller.exe -> Downloader.Small : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP356\A0011162.dll -> Hijacker.StartPage : Cleaned.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@rotator.dex.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@rotator.its.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@infinite-ads[2].txt -> TrackingCookie.Infinite-ads : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@www.res99[2].txt -> TrackingCookie.Res99 : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ads.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Sandy Riddle\Cookies\sandy riddle@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
jmelvinjr
4 Posts
0
May 24th, 2007 02:00
Hello Bugbatter,
Thank you for all your help. I am sending you the reports after the instructions you gave.
Also you asked about items disabled via MACONFIG, they are as follows:
dxdllreg
glxvlygo
I disabled them because I didn't recognize them. Please let me know if they should be enabled.
Ok so here are the reports:
COMBOFIX REPORT:
"Sandy Riddle" - 2007-05-23 20:25:01 Service Pack 2
ComboFix 07-05.24.4.V - Running from: "C:\Documents and Settings\Sandy Riddle\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\glwbvvbl.dll
C:\WINDOWS\system32\mgvqhvln.dll
C:\WINDOWS\system32\ymvnbwga.dll
C:\WINDOWS\system32\yuloqttv.dll
C:\WINDOWS\system32\hgggghe.dll
C:\WINDOWS\system32\nnnnlmk.dll
C:\WINDOWS\system32\pmnnoom.dll
C:\WINDOWS\system32\rqrrrss.dll
C:\WINDOWS\system32\rqrsrom.dll
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lbvvbwlg.ini
C:\WINDOWS\system32\nlvhqvgm.ini
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\hggfcab.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\Temp\17O7\tmpTF.log"
"C:\Temp\17O7"
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))
2007-05-23 20:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-16 21:19
2007-05-16 20:22
2007-05-16 20:21
2007-05-16 20:21
2007-05-16 10:27
2007-05-15 15:34
2007-05-14 20:06 89,756 --a------ C:\WINDOWS\b122.exe.bin
2007-05-14 20:03
2007-04-27 20:56 58,048 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-04-27 20:56 108,256 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-27 20:56
2007-04-27 20:56
2007-04-27 20:56
2007-04-27 20:56
2007-04-27 20:29 34,468 --------- C:\WINDOWS\hpomdl03.dat
2007-04-27 20:29 29,234 --a------ C:\WINDOWS\hpoins03.dat
2007-04-27 20:27 77,824 -ra------ C:\WINDOWS\system32\hpovst08.dll
2007-04-27 20:27 565,248 -ra------ C:\WINDOWS\system32\hpotscl.dll
2007-04-27 20:18
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-17 01:11:05 -------- d-----w C:\Program Files\GemMaster
2007-05-15 02:21:20 -------- d-----w C:\Program Files\Windows Plus
2007-04-28 01:33:27 -------- d-----w C:\Program Files\HP
2007-04-28 01:26:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-13 20:08:31 -------- d--h--w C:\DOCUME~1\SANDYR~1\APPLIC~1\Gtek
2007-04-13 19:49:50 -------- d-----w C:\Program Files\DellSupport
2007-03-22 02:02:10 -------- d-----w C:\DOCUME~1\SANDYR~1\APPLIC~1\AdobeUM
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 05:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-08-11 03:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-10 20:24]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 18:50]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsUpdate]
rundll32.exe "C:\WINDOWS\system32\glxvlygc.dll",realset
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe
*Newly Created Service* -AVGASCLN
Contents of the 'Scheduled Tasks' folder
2007-04-28 01:37:30 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1177724038.job
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 20:30:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-23 20:32:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-23 20:32
--- E O F ---
I can't exceed 20000 characters so I will post the other reports on another post
Thank you again,
Roger
jmelvinjr
4 Posts
0
May 24th, 2007 02:00
HIJACKTHIS REPORT:
Logfile of HijackThis v1.99.1
Scan saved at 9:58:07 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/ns/TrueSwitchEC.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
OK Thats all of them,
Thank you again for all of your help, please let me know what you think.
Bugbatter
3 Apprentice
•
20.5K Posts
0
May 24th, 2007 15:00
dxdllreg.exe is part of your Operating System, but it does not need to be running at Statrtup, so you can leave that as is.
glxvlygc.dll is definitely suspicious.
Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.)
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. ** If you get a warning about updating Java, do not do so until I can give you further instructions.
Please go to your HijackThis here:
C:\Program Files\Hijackthis\ HijackThis.exe
Rename HijackThis.exe to analyzer.exe.
Following that, please run a new scan with "analyzer" (actually HijackThis). Post the new log as well as the contents of C:\ vundofix.txt in your next reply. Let me know how things are running. Thanks.