Help - Search - Members
Full Version: HijackThis Log
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
BloodPlus
Apr 21 2006, 08:55 AM
Hi, I need advice on what to delete here. I'm new to this, and I really want to get rid of all the malware and etc. on my computer.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:30 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ljujzyx.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win3208220-1335809.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ljujzyxA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\pwinqqag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
c:\windows\system32\ppdsrego.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Genina\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.intermute.com/hp_update/?220=7B...24633304537317D
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dmoivwe.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\Tours\javaftp.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [win3208220-1335809] C:\WINDOWS\win3208220-1335809.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ljujzyxA] C:\WINDOWS\ljujzyxA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [{12-2B-B3-3C-ZN}] c:\windows\system32\ppdsrego.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinqqag.exe GID003
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinqqag.exe
O4 - Startup: ZMatrix.lnk = C:\Program Files\ZMatrix\matrix.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://webapps.sbux.com/Citrix/ICAWEB/en/ica32/ica32t.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: javaftp - C:\WINDOWS\Help\Tours\javaftp.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\SYSTEM32\jkhhg.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o8pq0i75e8.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\j0j6la1s1d.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

AndyManchesta
Apr 21 2006, 08:37 PM
Hi BloodPlus, Welcome To The Forum smile.gif

There is some nasty infections showing in the log (Trojan Conhook, Look2me, Vundo, Agobot) and malware using the genuine userinit.exe and winlogon.exe to run all the time on your system. This may take afew steps to get the pc clean but just let me know if you have any questions or problems.

First of all, you may want to print out this post or copy it to notepad and save it so that you have a hard copy of these instructions as you will need to reboot during the fix.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt back on here.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Next download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt back on here.
Download the Attached file below (BloodPlusFix.zip) and save it to your desktop, Close all open Browser and other windows then Right click the folder and choose Extract All, Open the folder and double click BloodPlusFix.bat to start the script, Your desktop icons and taskbar will disappear while the script runs then return again when its finished, It will attempt to stop all the malware files showing in your log then remove them and restore the Userinit and URL_Search Hook registry keys.

When the Script is finished it will open the results in notepad and save them to C:Drive named files.txt , can you post the contents of that text file back.


Run Hijack This and choose Do A System Scan then place a check next to any of these entries that remain

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dmoivwe.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhg.dll

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\Tours\javaftp.dll

O4 - HKLM\..\Run: [win3208220-1335809] C:\WINDOWS\win3208220-1335809.exe

O4 - HKLM\..\Run: [ljujzyxA] C:\WINDOWS\ljujzyxA.exe

O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe

O4 - HKLM\..\Run: [{12-2B-B3-3C-ZN}] c:\windows\system32\ppdsrego.exe GID003

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinqqag.exe GID003

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinqqag.exe

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

O20 - Winlogon Notify: javaftp - C:\WINDOWS\Help\Tours\javaftp.dll

O20 - Winlogon Notify: jkhhg - C:\WINDOWS\SYSTEM32\jkhhg.dll

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o8pq0i75e8.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\j0j6la1s1d.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Reboot the Pc and then post back the Look2Me-Destroyer.txt, Vundofix.txt and files.txt which will all be saved on the C:\drive and Post a new Hijack This Log.

All The Best

Andy
BloodPlus
Apr 21 2006, 10:24 PM

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/21/2006 2:26:03 PM

Infected! C:\WINDOWS\system32\enrml1911.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070334.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070352.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070354.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070377.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP262\A0070407.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP264\A0070703.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070977.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070978.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070979.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070980.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070981.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070982.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071026.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071027.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071064.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071065.dll
Infected! C:\WINDOWS\system32\enrml1911.dll
Infected! C:\WINDOWS\system32\hzovst08.dll
Infected! C:\WINDOWS\system32\ktnql7551.dll
Infected! C:\WINDOWS\system32\q4psle771h.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\enrml1911.dll
C:\WINDOWS\system32\enrml1911.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070334.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070334.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070352.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070352.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070354.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070354.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070377.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP261\A0070377.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP262\A0070407.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP262\A0070407.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP264\A0070703.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP264\A0070703.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070977.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070977.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070978.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070978.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070979.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070979.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070980.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070980.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070981.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070981.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070982.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0070982.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071026.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071026.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071027.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071027.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071064.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071064.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071065.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0071065.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enrml1911.dll
C:\WINDOWS\system32\enrml1911.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hzovst08.dll
C:\WINDOWS\system32\hzovst08.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktnql7551.dll
C:\WINDOWS\system32\ktnql7551.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q4psle771h.dll
C:\WINDOWS\system32\q4psle771h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9EAFF648-9866-433B-9A43-968AF138CEFF}"
HKCR\Clsid\{9EAFF648-9866-433B-9A43-968AF138CEFF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{118C0082-EED1-441E-9D87-7E4113B3EE5E}"
HKCR\Clsid\{118C0082-EED1-441E-9D87-7E4113B3EE5E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{453497E8-FB7D-41B6-82CA-BEA5AB186C69}"
HKCR\Clsid\{453497E8-FB7D-41B6-82CA-BEA5AB186C69}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AF44902A-3094-47ED-AB74-E3342A0C060F}"
HKCR\Clsid\{AF44902A-3094-47ED-AB74-E3342A0C060F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DEAAF791-1833-4631-812A-31BD4DED0EE3}"
HKCR\Clsid\{DEAAF791-1833-4631-812A-31BD4DED0EE3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{81713CBE-2A2A-403C-A876-F7215AABF997}"
HKCR\Clsid\{81713CBE-2A2A-403C-A876-F7215AABF997}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3B2BC240-D06B-4F7D-BB81-F73B9CA618CB}"
HKCR\Clsid\{3B2BC240-D06B-4F7D-BB81-F73B9CA618CB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C4236810-8498-4EDB-A7E9-56FE5B93C5FD}"
HKCR\Clsid\{C4236810-8498-4EDB-A7E9-56FE5B93C5FD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0484C445-13E7-496E-853D-BA01B61ABA25}"
HKCR\Clsid\{0484C445-13E7-496E-853D-BA01B61ABA25}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



VundoFix V4.2.71

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 2:54:28 PM 4/21/2006

Listing files found while scanning....

C:\WINDOWS\Help\Tours\javaftp.dll
C:\WINDOWS\Help\Tours\ptfavaj.ini
C:\WINDOWS\Help\Tours\ptfavaj.bak2
C:\WINDOWS\Help\Tours\ptfavaj.ini2
C:\WINDOWS\Help\Tours\ptfavaj.tmp
C:\WINDOWS\system32\jkhhg.dll

C:\WINDOWS\Help\Tours\ptfavaj.ini2
C:\WINDOWS\Help\Tours\ptfavaj.bak2
C:\WINDOWS\Help\Tours\ptfavaj.tmp
C:\WINDOWS\Help\Tours\ptfavaj.ini
C:\WINDOWS\Help\Tours\ptfavaj.ini2
C:\WINDOWS\Help\Tours\javaftp.dll
Attempting to delete C:\WINDOWS\Help\Tours\javaftp.dll
C:\WINDOWS\Help\Tours\javaftp.dll Has been deleted!

Attempting to delete C:\WINDOWS\Help\Tours\ptfavaj.ini
C:\WINDOWS\Help\Tours\ptfavaj.ini Has been deleted!

Attempting to delete C:\WINDOWS\Help\Tours\ptfavaj.bak2
C:\WINDOWS\Help\Tours\ptfavaj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Help\Tours\ptfavaj.ini2
C:\WINDOWS\Help\Tours\ptfavaj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Help\Tours\ptfavaj.tmp
C:\WINDOWS\Help\Tours\ptfavaj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Could not be deleted.

Performing Repairs to the registry.
Done!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Files ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
**C:\WINDOWS\ljujzyx.exe**
**C:\WINDOWS\win3208220-1335809.exe**
**C:\WINDOWS\ljujzyxA.exe**
**C:\WINDOWS\errorhandler.exe**
**C:\WINDOWS\system32\pwinqqag.exe**
**C:\WINDOWS\system32\ppdsrego.exe**
**C:\WINDOWS\system32\dwdsregt.exe**
**C:\WINDOWS\system32\jkhhg.dll**
Volume in drive C is HP_PAVILION
Volume Serial Number is B061-2B3C

Directory of C:\WINDOWS\system32

09/15/2005 08:41 PM 26,125 jkhhg.dll
1 File(s) 26,125 bytes
0 Dir(s) 167,070,576,640 bytes free
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Files Remaining ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: ZMatrix.lnk = C:\Program Files\ZMatrix\matrix.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://webapps.sbux.com/Citrix/ICAWEB/en/ica32/ica32t.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



Thank You for all the help. I do believe that all the malware is gone now. I have a question, after I did a Fix Checked on HiJackThis, I now have a folder that is called "backups". Are this the backup files for the malware? Can I delete them?
AndyManchesta
Apr 21 2006, 10:54 PM
Thanks for the logs, the removers worked great and removed everything they found but I think we should run a couple more scanners to make sure there is no remaining problems. The backups folder is the registry entries that Hijack This removed and it creates them incase any mistakes are made and something needs restoring, everything Hijack This fixed was malware related so there is no need to keep the backups. You can clear them by opening Hijack This and choosing Open the misc tools section then press the Backups button at the top of the screen, if you wanted to remove them all press the Delete All button then it will show a message about never knowing when you might need the backups and are you sure you want to remove them, Click Yes and they will be removed.

Can you post a full Hijack This log as the last one only started at the 03 entries and also post the contents of the Add/Remove screen then run Ewido Anti Malware & Pandascan to make sure there is nothing left on your pc.

Open Hijackthis, In the lower right corner click the "Config..." (Configuration) button.
Once in the "Configuration" panel, click "Misc Tools" button.
Then click the "Open Uninstall Manager..." button.
The "Add/Remove Programs Manager" panel should appear.
In this panel click the "Save list" button.
Save the "uninstall_list.txt" file to your desktop and copy and paste the "unistall_list.txt" file back on here.


Next download Ewido Anti-Malware from HERE
  • When installing, under "Additional Options" uncheck "Install background guard"
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful"),
  • Click on the Scanner button in the left menu, then click Complete System Scan.
If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back


Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.


Cheers

Andy
BloodPlus
Apr 22 2006, 11:15 PM
HiJack This uninstall_list.txt:

ACDSee 6.0 PowerPack
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Illustrator CS
Adobe Photoshop CS
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Agere Systems PCI Soft Modem
AIM Toolbar
AirPlus Xtreme G
America Online (Choose which version to remove)
ANIO Service
ANIWZCS Service
AnyDVD
AOL (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AutoCAD 2005 - English
Autodesk DWF Viewer
BitTorrent 4.4.1
CC_ccProxyExt
ccCommon
ccPxyCore
CloneDVD2
Combined Community Codec Pack 2006-01-18 (Remove Only)
Enhanced Ads by Zeno removal
GameGuard
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
KBD
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia FreeHand MXa
Macromedia Shockwave Player
MapleStory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Encarta Encyclopedia Deluxe 2004
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Works
MicroStaff WINASPI
Mozilla Firefox (1.5)
MSRedist
muvee autoProducer 3.5 magicMoments - HPD
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Paint.NET v2.6 Beta 1
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Serials 2000
Shockwave
Sonic Express Labeler
Sonic RecordNow!
Sony DVD Handycam USB Driver
SPBBC
Speakonia
SymNet
UDF File System Driver
Ulead DVD MovieFactory 3 Suite
Ulead Photo Explorer 8.0 SE
Ulead Photo Express My Scrapbook 2.0
Ulead VideoStudio 7 SE DVD
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Updates from HP
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Zeno Search Assistant removal
ZMatrix 1.5.2

PandaScan:


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Genina\Application Data\Mozilla\Firefox\Profiles\w1ul521b.default\cookies.txt[]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Genina\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fg1r9k4h.default\cookies.txt[]
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\GLFBGLFB.EXE
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/New.net Not disinfected C:\NNSCAA638.EXE
Adware:Adware/SearchAid Not disinfected C:\Program Files\Network Monitor\netmon.exe
Adware:Adware/Yazzle Not disinfected C:\RECYCLER\S-1-5-21-3370023930-3335621272-1648220074-1009\Dc3.exe
Adware:adware/deskwizz Not disinfected C:\WINDOWS\dh.ini
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\keyboard12.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\newname.dat
Adware:adware/popper Not disinfected C:\WINDOWS\offun.exe
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\pf78bb.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\ad.html
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddayv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddccc.dll
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\system32\mljji.dll
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\system32\sstqo.dll
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\system32\vtsqq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vturo.dll
Virus:Trj/Keylog.GA Disinfected C:\WINDOWS\system32\vturp.dll
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\genina@stats1.reliablestats[2].txt

Unfortunately, the Ewido Anti-Malware program ran too long. At 58.9 % it had already run for 238 mins.
Do I just delete the adware the PandaScan reported?
AndyManchesta
Apr 23 2006, 12:21 AM
There's still quite alot of Vundo files on your pc and some Adware files, The HP tool Panda found is genuine but everything else is malware related (Ive added a fixtool to remove the junk and check for other possible files below), Ewido is clearly having problems if it took that long so it might perform better after we clean up a few things.

Open the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove these:

Zeno Search Assistant removal <--Adware

Enhanced Ads by Zeno removal <--Adware

Viewpoint Media Player <--Foistware - Remove unless you installed it yourself

Java 2 Runtime Environment, SE v1.4.2_03<--well out of date and it is being exploited by Malware writers.

Update Java to the latest version by visiting this site

http://www.java.com/en/download/index.jsp

Download the Attached file (BPFix.zip) and save it to your desktop, Close all open Browser and other windows then extract and run BPFix.bat, again it will attempt to stop the files if they are running and then remove them, Vundo sometimes stores backups spelt backwards so the script will list them if they are found. It will open the results in notepad and save them to C:\Drive. Can you post the results back to show if it finds other files.

Next install Ccleaner if you do not already have it and press the Run Cleaner button to remove temp files from your system.

Try clearing the System Restore points then run Ewido again in safe mode.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created.


After you have cleared the restore points update Ewido and reboot into safe mode.

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Once in safe mode Run Ewido again, Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" if it finds anything then click on ok. When the scan finishes click the save report button and post it back when you reboot to normal mode.

Thanks

Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.