Greetings Pewan42 and Welcome to the Forums...I see you've managed to amass quite a collection of trojans. Let's get busy removing them.
Please select and install one of these free Firewall applications:
ZoneAlarm Free Version Outpost Free Kerio
When the installation completes successfully, reboot the computer.
Please download the
KILLBOX, extract it to your desktop.
DO NOTHING ELSE WITH IT YET.
Download AVG Anti-Spyware v7.5 (
This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type:
services.msc
Press "OK".
Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Once the updates are installed do the following:
Click on the "
Scanner" button and choose the "
Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Close the application and reboot the computer into
Safe mode. Once in safe mode continue with the instructions below:
Open the AVG Anti-Spyware application and click the "
Scan" tab.
Click "
Complete System Scan" to start.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click "
Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the
Apply all actions button. If you do, the log that is created will indicate "
No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
Click on "
Save Report" to view all completed scans. Click on the most recent scan you just performed and select "
Save report as" - the default file name will be in date/time format as follows:
Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box
Delete on Reboot.
Highlight the entries below in
Bold text and then copy them.
C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL C:\WINDOWS\system32\vaqntgbl.dll C:\WINDOWS\system32\swkekeyo.dll C:\WINDOWS\system32\fquxwyhd.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click
Yes.
A second message will ask to Reboot now? you will need to click
No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the box next to the following entries that may still exist:
R3 - URLSearchHook: GlobalsearchHook - {1217CC80-9AC7-48E2-A7D9-596CCF8E077E} - C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL O3 - Toolbar: XXX.O2.CZ toolbar - {3A522579-39C4-42EE-A155-84E90B1070D0} - C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\vaqntgbl.dll",setvm O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\swkekeyo.dll",realset O4 - HKLM\..\Run: "C:\WINDOWS\system32\fquxwyhd.exe" -c
Close all windows now except for the HijackThis application's window, then click the
Fix Checked button.
Reboot the computer and post the AVG Anti-Spyware log along with a fresh HijackThis log. How is the system running now? Are you having any other issues? Thanks!
The forum is not allowing me to post any more. But if you want to know, the firewall made me go crazy and i had to uninstall it from my copmuter. I still get popups from Zedo, Winantivirus, etc. My computer also began to freeze yesterday. I would restart and then every time I would open a program it would freeze. I pressed ctrl-alt-delete and went to processes, and saw that "svchost.exe" was using 98-100% of the CPU Usage, so when I end that process my laptop works. But now, my laptop doesn't recognize its built in speakers and I am unable to play any music, it keeps saying that there is no sound device installed...
Logfile of HijackThis v1.99.1
Scan saved at 6:57:40 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Logfile of HijackThis v1.99.1
Scan saved at 10:54:03 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Well would you look at that...Hellooooo vundo!!! lol and he
brought all his cousins with him.
Let's do this in steps. First we're going to uninstall your
vulnerable version of Java (which I suspect is at least partially
responsible for this malware infection).
Please follow these steps to remove older version Java components
1. Close any open programs you may have running, especially your web browser.
2. Click Start-->Control Panel-->Add or Remove Programs. For those just reading this thread: Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button. Not every version of Java will begin with "Java" so be sure to read each entry in the list. Repeat step 3 as many times as necessary to remove all versions of Java. **If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:
C:\Program Files\ Java =this folder if found
5. Then go to this page. Scroll down to where it says "Java Runtime Environment (JRE) 6u1 The Java SE Runtime Environment (JRE) allows end-users to run Java applications."and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop. Then from your desktop double-click on the executable to install the newest version. Reboot when the installation completes.
Open a blank Notepad. Save the command below in Bold text in the blank Notepad as a text file so that you can copy/paste it while in safe mode because you won't be able to read these instructions from your browser. "%userprofile%\desktop\combofix.exe" /wow
once in safe mode and logged in as an Administrator, please continue with the instructions below:
Go to start-->run Copy/paste the data you saved in the Notepad from the earlier instruction into the run box and click "OK":
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
When finished, it will produce a log for you. Save the log to your Desktop and post that log in your next reply.
Next, please run HijackThis again and check the following entries that may still exist: O2 - BHO: (no name) - {1A95A1F1-269F-46A2-AB72-9D9EB2C181D7} - (no file) O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\system32\ipv6monl.dll (disabled by BHODemon) O2 - BHO: (no name) - {9D2556F9-0C71-426D-A79A-AB1FDF4DECBC} - C:\WINDOWS\Registration\bverg.dll O2 - BHO: (no name) - {A6093626-3070-42C0-89F5-43A67994A9Fc} - C:\WINDOWS\system32\yxfyeyus.dll (file missing) O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\deiocnvc.dll (disabled by BHODemon) O2 - BHO: (no name) - {ECB35861-EFC7-4A3B-B5E4-88CC800D2F1F} - (no file) O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\asidrjji.dll",realset O20 - Winlogon Notify: bverg - C:\WINDOWS\Registration\bverg.dll
Close all windows now except for the HijackThis application's window, then click the Fix Checked button.
Open your on board AVG Anti-Spyware application and run a full system scan once more. When the scan completes, save the log and close the application.
Boot back into your normal user mode.
In your next post, please include: A new hijackthis log Combofix log AVG Anti-Spyware Scan log
1972vet
3.3K Posts
0
April 29th, 2007 01:00
Please select and install one of these free Firewall applications:
ZoneAlarm Free Version
Outpost Free
Kerio
When the installation completes successfully, reboot the computer.
Please download the KILLBOX, extract it to your desktop.
DO NOTHING ELSE WITH IT YET.
Download AVG Anti-Spyware v7.5
( This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
- After download, double click on the file to launch the install process.
- Choose a language, click "OK" and then click "Next".
- Read the "License Agreement" and click "I Agree".
- Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
- After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
- The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
- Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.mscOnce the updates are installed do the following:
Click on the " Scanner" button and choose the " Settings" tab.
Close the application and reboot the computer into Safe mode. Once in safe mode continue with the instructions below:
Open the AVG Anti-Spyware application and click the " Scan" tab.
Click " Complete System Scan" to start.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
- Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
- If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click " Apply all actions" to place the files in Quarantine.IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate " No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
Click on " Save Report" to view all completed scans. Click on the most recent scan you just performed and select " Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box Delete on Reboot.
Highlight the entries below in Bold text and then copy them.
C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL
C:\WINDOWS\system32\vaqntgbl.dll
C:\WINDOWS\system32\swkekeyo.dll
C:\WINDOWS\system32\fquxwyhd.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the box next to the following entries that may still exist:
R3 - URLSearchHook: GlobalsearchHook - {1217CC80-9AC7-48E2-A7D9-596CCF8E077E} - C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL
O3 - Toolbar: XXX.O2.CZ toolbar - {3A522579-39C4-42EE-A155-84E90B1070D0} - C:\PROGRA~1\XXXTOO~1\GLOBAL~1.DLL
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\vaqntgbl.dll",setvm
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\swkekeyo.dll",realset
O4 - HKLM\..\Run: "C:\WINDOWS\system32\fquxwyhd.exe" -c
Close all windows now except for the HijackThis application's window, then click the Fix Checked button.
Reboot the computer and post the AVG Anti-Spyware log along with a fresh HijackThis log. How is the system running now? Are you having any other issues? Thanks!
Pewan42
25 Posts
0
May 9th, 2007 17:00
Pewan42
25 Posts
0
May 9th, 2007 17:00
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:46:12 AM 5/1/2007
+ Scan result:
C:\windows\Temp\bw2.com -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Documents and Settings\PAWAN RASTOGI\Local Settings\Temp\n2132ina.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\windows\Temp\B3D24.tmp/Quicklinks.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\windows\system32\amkmpmrv.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\windows\system32\bystjjqv.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\windows\system32\cumybwum.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\windows\system32\jtojxtfl.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\windows\system32\kxihlvyg.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\windows\system32\obbilkfx.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP666\A0091065.exe -> Downloader.Agent.bhc : Cleaned with backup (quarantined).
C:\windows\system32\~.exe -> Downloader.Agent.bhc : Cleaned with backup (quarantined).
C:\windows\Temp\!update.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP666\A0091064.dll -> Logger.BZub.ndh : Cleaned with backup (quarantined).
C:\windows\system32\ipv6monl.dll -> Logger.BZub.ndh : Cleaned with backup (quarantined).
C:\Documents and Settings\PAWAN RASTOGI\Local Settings\Temp\rb8hju16.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\PAWAN RASTOGI\Local Settings\Temp\6qzsv4sk.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\windows\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\windows\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
:mozilla.265:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.100:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.101:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.102:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.103:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.447:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.458:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.727:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.78:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.87:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.88:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.89:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.90:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.93:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.94:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.96:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.97:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.98:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.99:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@tcompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.733:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.734:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.907:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.324:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@adrenaline[1].txt -> TrackingCookie.Adrenaline : Cleaned.
:mozilla.178:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.179:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.180:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.181:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.182:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.183:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.184:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.185:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.52:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.53:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.55:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.56:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.25:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.669:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\PAWAN RASTOGI\Cookies\pawan_rastogi@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.427:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.756:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.299:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.275:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.287:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.289:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.290:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.256:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.257:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.258:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.259:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.260:C:\Documents and Settings\PAWAN RASTOGI\Application Data\Mozilla\Firefox\Profiles\u87aiqpq.Default User\cookies.txt ->
Pewan42
25 Posts
0
May 9th, 2007 20:00
1972vet
3.3K Posts
0
May 9th, 2007 21:00
Message Edited by 1972vet on 05-09-2007 05:52 PM
Pewan42
25 Posts
0
May 9th, 2007 22:00
Scan saved at 6:57:40 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PAWAN RASTOGI\Desktop\SpyWare Arsenal\Hijack\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\asidrjji.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\PAWAN RASTOGI\Desktop\SpyWare Arsenal\Hijack\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133799012209
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
1972vet
3.3K Posts
0
May 9th, 2007 22:00
Pewan42
25 Posts
0
May 10th, 2007 01:00
Scan saved at 10:54:03 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\PAWAN RASTOGI\Desktop\SpyWare Arsenal\Hijack\analyze.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A95A1F1-269F-46A2-AB72-9D9EB2C181D7} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\system32\ipv6monl.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {9D2556F9-0C71-426D-A79A-AB1FDF4DECBC} - C:\WINDOWS\Registration\bverg.dll
O2 - BHO: (no name) - {A6093626-3070-42C0-89F5-43A67994A9Fc} - C:\WINDOWS\system32\yxfyeyus.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\deiocnvc.dll (disabled by BHODemon)
O2 - BHO: (no name) - {ECB35861-EFC7-4A3B-B5E4-88CC800D2F1F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\asidrjji.dll",realset
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\PAWAN RASTOGI\Desktop\SpyWare Arsenal\Hijack\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133799012209
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: bverg - C:\WINDOWS\Registration\bverg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Message Edited by Pewan42 on 05-09-2007 09:56 PM
1972vet
3.3K Posts
0
May 10th, 2007 02:00
brought all his cousins with him.
Let's do this in steps. First we're going to uninstall your
vulnerable version of Java (which I suspect is at least partially
responsible for this malware infection).
1. Close any open programs you may have running, especially your
web browser.
2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread:
Depending on your OS, you may have to click
Start-->Settings-->Control Panel-->Add or Remove
Programs.
3. Click once on any item listing Java Runtime Environment in the
name (to highlight it) then click the "Remove" or "Change/Remove"
button.
Not every version of Java will begin with "Java"
so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions
of Java.
**If you are asked to reboot at any point during the
uninstallations, please do so. Then go back to Add/Remove and
continue with the rest of the removals...when finished
uninstalling all of them, reboot the computer.
4. Navigate to and delete:
- C:\Program Files\ Java =this folder
5. Then go toif found
this
page.
Scroll down to where it says "Java Runtime
Environment (JRE) 6u1
The Java SE Runtime Environment (JRE) allows end-users to run
Java applications."and click the "Download" button to the
right.
6. Check the box that says: "Accept License Agreement"
the page will refresh and click on the
link to download Windows Offline Installation with or without
Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install
the newest version. Reboot when the installation completes.
xe> combofix.exe and save it to your desktop.
Open a blank Notepad. Save the command below in Bold text
in the blank Notepad as a text file so that you can copy/paste it
while in safe mode because you won't be able to read these
instructions from your browser.
"%userprofile%\desktop\combofix.exe" /wow
Reboot the computer into
ion/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true>Saf
e mode.
once in safe mode and logged in as an Administrator, please
continue with the instructions below:
Go to start-->run
Copy/paste the data you saved in the Notepad from the earlier
instruction into the run box and click "OK":
Note:
Do not mouseclick combofix's window while it's running. That
may cause it to stall.
When finished, it will produce a log for you. Save the log to
your Desktop and post that log in your next reply.
that may still exist:
O2 - BHO: (no name) - {1A95A1F1-269F-46A2-AB72-9D9EB2C181D7} -
(no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} -
C:\WINDOWS\system32\ipv6monl.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9D2556F9-0C71-426D-A79A-AB1FDF4DECBC} -
C:\WINDOWS\Registration\bverg.dll
O2 - BHO: (no name) - {A6093626-3070-42C0-89F5-43A67994A9Fc} -
C:\WINDOWS\system32\yxfyeyus.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} -
C:\WINDOWS\system32\deiocnvc.dll (disabled by BHODemon)
O2 - BHO: (no name) - {ECB35861-EFC7-4A3B-B5E4-88CC800D2F1F} -
(no file)
O4 - HKLM\..\Run: rundll32.exe
"C:\WINDOWS\system32\asidrjji.dll",realset
O20 - Winlogon Notify: bverg -
C:\WINDOWS\Registration\bverg.dll
Close all windows now except for the
HijackThis application's window, then click the Fix
Checked button.
system scan once more. When the scan completes, save the log and
close the application.
Boot back into your normal user mode.
In your next post, please include:
A new hijackthis log
Combofix log
AVG Anti-Spyware Scan log