View Full Version : Amaena.com problem in Firefox
Cavalier90
03-02-2007, 08:08 PM
It's a while since I was on these boards, and its a shame I have to come on with a problem for you to solve. Firefox keeps throwing a popup screen with antivirus warnings. One was Winantivirus2006. I got rid of it with Spybot, along with a few other nasties that have crept in. I can't get rid of the problems totally, and every run of Spybot following a reboot produces a problem. The latest brings up a page referencing amaena.com Security Worm. I've run AVG, Spybot, Adaware (but this stops part way through) but no joy. Could you check my HijackThis log to see if you can see anything.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 23:50:09, on 02/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\cahoot webcard\CahootWebcard.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark P910 Series\lxbymon.exe
C:\WINDOWS\system32\lxbycoms.exe
C:\Program Files\Lexmark P910 Series\ezprint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index_first.html
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\WINDOWS\cgmopenbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Orbiscom - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\system32\SlimBho2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CahootWebcard] d:\Program Files\cahoot webcard\CahootWebcard.exe /dontopenmycards
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rachel\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - Unknown owner - d:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Budfred
03-02-2007, 08:31 PM
Spybot won't work on the WinAntispyware infection, so it has not actually ever been gone...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.
Cavalier90
03-02-2007, 09:08 PM
Vundofix reported no infected files found. As I loaded this reply window, another popup appeared, so the infection is still there. I await your next suggestion.
Vundofix log is here.
VundoFix V6.3.11
Checking Java version...
Sun Java not detected
Scan started at 01:01:52 03/03/2007
Listing files found while scanning....
No infected files were found.
Thanks
Fruss Tray Ted
03-02-2007, 09:18 PM
If Java was not detected and vundofix needs it to run it's scan, your pc failed to run the scan.
Allow Java after getting the most recent version of Sun Java, then run the scan again.
Budfred
03-02-2007, 10:22 PM
Okay, try a couple of other scans:
Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...
DO NOT post the upper window which contains everything that was scanned...
http://www.mwti.net/products/mwav/mwav.asp
It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...
and...
Download Superantispyware (http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE)
Install the programme and when the first page opens on the bottom left will be a check for updates button click this to update the programme
Then run SuperAntispyware
On the first page select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT
Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply....
Cavalier90
03-03-2007, 04:34 AM
I reloaded Java Runtime Environment although I did have update 10 and have rerun Vundo fix. The latest log is below.
VundoFix V6.3.11
Checking Java version...
Sun Java not detected
Scan started at 01:01:52 03/03/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.11
Checking Java version...
Sun Java not detected
Scan started at 08:07:41 03/03/2007
Listing files found while scanning....
No infected files were found.
Why it is not detecting Java I don't know, perhaps having the Runtime Environment is not enough. Please advise if there is a particular type of Java I need (the website shows quite e few but they seem to be for developers.)
I have downloaded the two Budfred has suggested and I will run them now and post the results.
Thanks
Cavalier90
03-03-2007, 04:52 AM
MWAVSCAN log attached
Object "minibug Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "spylax Corrupted Adware/Spyware" found in File System! Action Taken: Entries Removed.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: Entries Removed.
Entry "HKCR\Context.test" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: Entries Removed.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: Entries Removed.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: Entries Removed.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""C:\Program Files\Java\jre1.5.0_03\bin\javaws.exe"". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\unvise32.exe". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\system32\drivers\vsdatant.sys". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.Windows.Forms.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.Windows.Forms.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscor lib.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscor ee.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.Drawing.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.EnterpriseServices.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.JScript.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.Vsa.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.Drawing.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscor ee.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.EnterpriseServices.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.JScript.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.Vsa.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.Vsa.Vb.CodeDOMProcessor.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscor lib.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object
Cavalier90
03-03-2007, 04:53 AM
"C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.Vsa.Vb.CodeDOMProcessor.tlb". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".bak". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".bz2". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".cdr". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".dbl". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".info". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".kodak[1]". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".package". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".PLV". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".sqm". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".SVD". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".tmp". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".torrent". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".vsx". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object "._MP". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AdobeESD". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "CDCheck". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Google Desktop". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.7)". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5)". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.3)". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Rainbow Sentinel Driver". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{13BAE585-24D8-4425-B9B6-07D129431033}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2B257128-0B59-4A88-AFDF-BE12E5F5B9A0}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2B257128-0B59-4A88-AFDF-BE12E5F5B9A1}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{4DEE75B1-B201-4DA3-A50F-007CDB00DA23}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{89A344E4-A54B-4C5E-97BD-040B4B300324}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-A00000000001}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-A70500000002}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}". Action Taken: Entries Removed.
It seems to have done a lot. 65 errors were detected and fixed. Note that it did not ask me if I wanted to fix them, it did it automatically during the scan.
I'll run Superantispyware now.
Thanks.
Cavalier90
03-03-2007, 06:21 AM
SUPERAntiSpyware Scan Log
Generated 03/03/2007 at 09:26 AM
Application Version : 3.5.1016
Core Rules Database Version : 3193
Trace Rules Database Version: 1203
Scan type : Complete Scan
Total Scan Time : 00:32:19
Memory items scanned : 424
Memory threats detected : 0
Registry items scanned : 5044
Registry threats detected : 0
File items scanned : 39880
File threats detected : 7
Adware.Tracking Cookie
C:\Documents and Settings\Rachel\Cookies\rachel@adrevolver[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@adrevolver[3].txt
C:\Documents and Settings\Rachel\Cookies\rachel@atdmt[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@doubleclick[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@tradedoubler[2].txt
Adware.180solutions/ZangoSearch
C:\DOCUMENTS AND SETTINGS\RACHEL\DESKTOP\SETUP(2).EXE
C:\DOCUMENTS AND SETTINGS\RACHEL\DESKTOP\SETUP.EXE
Cavalier90
03-03-2007, 06:50 AM
Problem is still with me. Advertising windows in Firefox are still occurring, unless the PCGuide has an infection, which I doubt. And yes, Firefox is set to block popups.
Cavalier90
03-03-2007, 03:12 PM
I don't know if this is connected, but the PC will not now boot up into Windows. It will boot into Safe mode, and in Linux (I'm using Linux now to post this). Could it be linked? There is no error shown; all I get is the Windows XP screen and the loading bar. The computer sits like that and doesn't load. Could it be linked?:confused:
Cavalier90
03-03-2007, 04:09 PM
Panic over. I've restored Windows to yesterday's restore point, and it's working again. The restore point was before Mwav and Superantispyware. Can either of these cause boot up problems? The restore point after yesterdays did show the installation of Mwav in particular.
Comments still appreciated on the logs above.
Budfred
03-03-2007, 05:40 PM
It looks like you didn't clean anything with SuperAntispyware, so that was probably not the problem... I didn't think MWav was still cleaning things without paying for it, so I was surprised by that... It probably caused the problem you had...
Please run SuperAntispyware again and let it fix what it finds... The ads you are getting may well be Zango...
Then run this scan and let if fix what it finds, it is less powerful than MWav, but probably safer... You may have an infection that corrupts system files and when MWav cleaned them, your system wouldn't work properly anymore... Unfortunately, it that is the case, you will need to rebuild the system with clean files... Try this first though...
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Cavalier90
03-03-2007, 08:10 PM
Downloaded Superantispyware again and reran it. It fixed a number of items so I rebooted the PC. Windows would not load again as before, so I had to restore again and have now lost the log. It seems to be Super... that is causing the loading problem. Am now running Dr Web.
Cavalier90
03-04-2007, 04:00 AM
Log file from Dr Web attached.
Setup(2).exe;C:\Documents and Settings\Rachel\Desktop;Adware.Zango;Incurable.Del eted.;
Setup.exe;C:\Documents and Settings\Rachel\Desktop;Adware.Zango;Incurable.Del eted.;
A0144370.exe;C:\System Volume Information\_restore{FDD8774C-3C51-4E62-B096-DC22F859A1F3}\RP295;Adware.Zango;Incurable.Deleted .;
A0144371.exe;C:\System Volume Information\_restore{FDD8774C-3C51-4E62-B096-DC22F859A1F3}\RP295;Adware.Zango;Incurable.Deleted .;
A0145187.exe;C:\System Volume Information\_restore{FDD8774C-3C51-4E62-B096-DC22F859A1F3}\RP298;Adware.Zango;Incurable.Deleted .;
A0145188.exe;C:\System Volume Information\_restore{FDD8774C-3C51-4E62-B096-DC22F859A1F3}\RP298;Adware.Zango;Incurable.Deleted .;
Preview-T-229784-sailors horn pipe proms 22.wma;D:\Program Files\Incomplete;Trojan.Isbar.389;Deleted.;
Preview-T-304178-(full version) sailors horn pipe proms 57.wma;D:\Program Files\Incomplete;Trojan.Isbar.389;Deleted.;
Unfortunately as I left Dr Web running overnight, by the time I returned this morning, my internet connection had dropped so I could not bring up PCGuide without a reboot, so I could read Budfred's instructions. I deleted the incurables rather than moving them, sorry.
Any comments other than "Next time print the instructions"?:)
Cavalier90
03-04-2007, 04:29 AM
I reran MWAVSCAN on its own, ie not with Superantispyware. It found and cured quite a few objects again. I rebooted the PC and it restarted OK. It must have been Super... that caused the problems before. MWAVSCAN log attached for info. I'll see how the browser is now.
Object "minibug Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "dyfuca Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "spylax Corrupted Adware/Spyware" found in File System! Action Taken: Entries Removed.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: Entries Removed.
Entry "HKCR\Context.test" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: Entries Removed.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: Entries Removed.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: Entries Removed.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""C:\Program Files\Java\jre1.5.0_03\bin\javaws.exe"". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\unvise32.exe". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\system32\drivers\vsdatant.sys". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.Windows.Forms.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.Windows.Forms.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscor lib.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscor ee.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.Drawing.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.EnterpriseServices.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.JScript.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.Vsa.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.Drawing.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscor ee.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Syste m.EnterpriseServices.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.JScript.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.Vsa.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Micro soft.Vsa.Vb.CodeDOMProcessor.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscor lib.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Syste m.tlb". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Micro soft.Vsa.Vb.CodeDOMProcessor.tlb". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".bak". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".bz2". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".cdr". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".dbl". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".info". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".kodak[1]". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".package". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".PLV". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".sqm". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".SVD". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".tmp". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".torrent". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".vsx". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object "._MP". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AdobeESD". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "CDCheck". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Google Desktop". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.7)". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5)". Action Taken: Entries Removed.
Cavalier90
03-04-2007, 04:32 AM
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.3)". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Rainbow Sentinel Driver". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{13BAE585-24D8-4425-B9B6-07D129431033}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2B257128-0B59-4A88-AFDF-BE12E5F5B9A0}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2B257128-0B59-4A88-AFDF-BE12E5F5B9A1}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{4DEE75B1-B201-4DA3-A50F-007CDB00DA23}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{89A344E4-A54B-4C5E-97BD-040B4B300324}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-A00000000001}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-A70500000002}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}". Action Taken: Entries Removed.
Budfred
03-04-2007, 08:54 AM
It is okay that you deleted those files, they are trash anyway...
Please post a fresh HJT log...
Cavalier90
03-04-2007, 07:39 PM
New HJT log attached. I'm still having the problem. Just had a Winantispyware2007 page come up, and seemed to get plagued with pop-ups from am-gad-network.com.
Logfile of HijackThis v1.99.1
Scan saved at 23:37:08, on 04/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\cahoot webcard\CahootWebcard.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark P910 Series\lxbymon.exe
C:\Program Files\Lexmark P910 Series\ezprint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lxbycoms.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index_first.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\WINDOWS\cgmopenbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Orbiscom - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\system32\SlimBho2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CahootWebcard] d:\Program Files\cahoot webcard\CahootWebcard.exe /dontopenmycards
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rachel\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Budfred
03-04-2007, 08:35 PM
It appears that you are still infected with Vundo... Please run VundoFix in Safe Mode and see if that is able to do a better job finding it and cleaning it... If it doesn't show anything the first time, run it again while still in Safe Mode...
After you reboot to Normal Mode, run this one:
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Cavalier90
03-05-2007, 07:24 PM
I ran Vundofix in Safe mode twice, and both times it locked up after about half an hour. The field that shows the file being processed was showing a white box but no writing. Checking on the processor use, Vundofix was using up to 98% of the CPU, but no disk accesses. When I shut it down, it said it was not responding, so I guess with that sort of CPU usage it had got into a loop.
I've tried Fsecure, but when I go to look at something else in Internet Explorer, IE itself shuts down, taking Fsecure with it. I'm going to go to bed now and leave Fsecure running overnight so I will not be tempted to touch anything while it is running.
Cavalier90
03-07-2007, 06:34 PM
I ran F-Secure overnight, but when I came to clean the files the following morning, the internet connection had disappeared or timed out. I don't understand why as I'm on broadband.
Ran F-secure earlier tonight and it ended the scan OK so I asked it to clean what it had found. It stopped at 3/4 complete and stopped. I left it for 45 minutes and it still hadn't moved off so I pressed Cancel. I know Budfred said it can take a while to fix things, but I presume 45 minutes to be more than enough time. This worked so the webpage had not frozen. It said it had cleaned my system but I was not sure as it last showed only 3/4 complete. As it did not complete, I cannot show the report.
I tried running Vundofix again, but it still does not complete its action, eventually freezing and saying "no response" to trying to cancel the programme.
I don't seem to be having much luck running these processes.
I'm still being plagued by the pop up screens for anti virus stuff.
Budfred
03-07-2007, 08:12 PM
Okay, we have a couple of options... First use a ComboFix scan/log...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
Cavalier90
03-08-2007, 04:20 PM
Logfile now attached.
"Paul" - 07-03-08 20:09:50 Service Pack 2
ComboFix 07-03-08 - Running from: "D:\Program Files\download files"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\REGEDIT.com
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\logo1_.exe
C:\WINDOWS\system32\dbsweilhxp.dat
C:\WINDOWS\system32\dbsweilhxp.exe
C:\WINDOWS\system32\dbsweilhxp_nav.dat
C:\WINDOWS\system32\dbsweilhxp_navps.dat
((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))
2007-03-08 19:00 <DIR> d-------- C:\DOCUME~1\Rachel\APPLIC~1\Prevx
2007-03-08 08:36 <DIR> d-------- C:\DOCUME~1\Sue\APPLIC~1\Prevx
2007-03-07 23:55 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\Prevx
2007-03-07 23:54 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-03-07 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-03-05 21:09 <DIR> d----c--- C:\VundoFix Backups
2007-03-04 08:15 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-03-04 08:15 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-04 08:15 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-04 08:15 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-03-04 08:15 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-03-04 08:09 146,432 --a------ C:\WINDOWS\R.COM
2007-03-04 08:09 135,680 --a------ C:\WINDOWS\system32\T.COM
2007-03-04 00:07 <DIR> d-------- C:\DOCUME~1\Paul\DoctorWeb
2007-03-03 08:28 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\SUPERAntiSpyware.com
2007-03-02 19:01 3,145,728 --a------ C:\DOCUME~1\Rachel\ntuser.dat
2007-03-02 19:01 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-02-11 20:05 <DIR> d-------- C:\DOCUME~1\Rachel\APPLIC~1\IMVU
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2007-03-08 20:03 -------- d-------- C:\Program Files\3dmouse
2007-03-08 09:43 -------- d-------- C:\Program Files\lx_cats
2007-03-05 23:33 -------- d--h----- C:\Program Files\installshield installation information
2007-03-05 23:33 -------- d-------- C:\Program Files\google
2007-03-03 08:04 6107 --a------ C:\WINDOWS\mozver.dat
2007-02-28 23:32 -------- d-------- C:\DOCUME~1\Paul\APPLIC~1\avg7
2007-02-26 23:39 -------- d-------- C:\DOCUME~1\Paul\APPLIC~1\gtk-2.0
2007-02-23 16:58 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-23 16:58 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-23 16:58 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-07 22:52 -------- d-------- C:\DOCUME~1\Paul\APPLIC~1\openoffice.org2
2007-01-28 23:12 -------- d-------- C:\DOCUME~1\Paul\APPLIC~1\adobeum
2007-01-15 23:30 -------- d-------- C:\Program Files\Common Files\ahead
2007-01-02 12:37 274432 --a------ C:\WINDOWS\system32\unvpqhociw.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AdaptecDirectCD"="D:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"CahootWebcard"="d:\\Program Files\\cahoot webcard\\CahootWebcard.exe /dontopenmycards"
"3DMouse"="C:\\PROGRA~1\\3DMouse\\3DMouse.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LXBYCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\ LXBYtime.dll,_RunDLLEntry@16"
"lxbymon.exe"="\"C:\\Program Files\\Lexmark P910 Series\\lxbymon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"EzPrint"="\"C:\\Program Files\\Lexmark P910 Series\\ezprint.exe\""
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NWEReboot"=""
"AVG7_CC"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"dbsweilhxp"="c:\\windows\\system32\\dbsweilhxp.exe dbsweilhxp"
"SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"RunNarrator"="Narrator.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runon ce]
"RunNarrator"="Narrator.exe"
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
************************************************** ******************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
[url]http://www.gmer.net[/url]
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
************************************************** ******************
Completion time: 07-03-08 20:16:46
Cavalier90
03-08-2007, 05:04 PM
I hope this does not put the jinx on my computer, but I've been surfing for a while and not had any nasty pop-ups. Looks like Combofix may have done the job.
I did a search for the amaena problem and a package called Prevx1 was highlighted in Google. I read the web page and it seemed like it may do the job. It is free for 30 days, then you have to pay for fixes, but it will keep running and checking in the background. I downloaded it and ran the program before I read your (Budfred) reply to run Combofix. It found and "jailed" two programs, HBYMGKEDZL.EXE and RWAKNBLY.EXE. Do you know anything about this package? The downside, and possibly suspicious part, is it stops Zonealarm firewall starting up.
Thanks for all your effort Budfred.
Cavalier90
03-08-2007, 05:12 PM
Just found the problem in Zonealarm, the "Load at Startup" option had been deselected. I have reset it and it seems to be holding. Problem over.
Budfred
03-09-2007, 12:46 AM
Prevx is quite good... And ComboFix did clean out quite a bit of filth... The bad news.... there is still a whole pile of filth in your computer and some of it is stealing your personal information to steal everything you own...
You have 2 options at this point... Given the infections present, your best bet may be to wipe the hard drive and reinstall from scratch... If you want to backup files on the drive, you can do so, but put them on a CD or other disk that you can keep from being automatically read when you go to restore them... Scan them carefully before restoring them...
The other option is that we can keep at this and try to clean it all out... If you want to do that, let me know...
Either way, if you have done any financial transactions on this computer, you need to contact the credit card companies/banks or whatever it was to notify them that you need to change passwords, account numbers and so on... It would also be good to put a watch on any account that might have been compromised... Obviously, contact the companies by phone and do NOT use your computer for any financial transactions until fairly certain it is clean... Note that forum and other internet passwords are also likely compromised and will need to be changed as soon as you can safely do that... Please take this seriously, I only give out this warning when it is unavoidable...
Cavalier90
03-09-2007, 05:19 AM
Thanks for the warning. Let's try to continue with the cleanup.
Cavalier90
03-09-2007, 07:01 AM
Just a quick question regarding rebuilding the PC rather than trying to fix the bad files, I run a dual boot with Linux on one disk, Windows on another. Would I have to rebuild Linux or is it reasonably safe from Windows infections. My understanding is it is. I thought I could copy files I need onto the Linux disk rather than CD if it is safe.
Budfred
03-09-2007, 08:35 AM
The Linux install should be safe... You could probably copy the files onto the Linux partition if you wish, I am not familiar enough with the Linux file system to know if that will allow you to scan them prior to remounting them in Windows, but if it does, that could be an elegant solution...
To go with another clean-up tool:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Cavalier90
03-09-2007, 08:48 AM
I will do what you suggest tonight when I get home from work.
As for scanning files in Linux, I found a couple of days ago that AVG offer a Linux version that I have now installed on the Linux partition. That will give me the opportunity to check the files before I copy them back. I am not sure though whether the Linux AVG searches for the same problems as the Windows version. As viruses are O/S specific, exploiting weaknesses in those O/Ss, I'm guessing they will be different. If they are, having re-installed Windows, I cannot check them from Windows as Windows can't read Linux file systems. Linux can read and write to Windows file systems (FAT at least), though this doesn't help me.
As for other Linux scanning options (Spyware/Adware/etc), I would need to do some more digging.
Most of the Linux AV apps DO scan for Windows viruses...because Linux is often used as the OS of choice on mail servers. They scan for Windows ones so they can scan the mail passing through.
One of the nice things about being able to scan outside of Windows, is there is less chance of triggering a virus/trojan during the scan.
Also, there are a couple of efs2 filesystem drivers for Windows...read access works fine, but write access is 'iffy' (at best) and probably shouldn't be attempted. (Pretty much the reverse of Linux's NTFS.)
Cavalier90
03-09-2007, 03:10 PM
Rebooting...
Normal Mode:
Checking Files:
ADS Check:
Final Check:
Remaining Services:
------------------
Rootkit huy32 maybe active, Use a Rootkit scanner!
Rootkit PE386 maybe active, Use a Rootkit scanner!
Rootkit lzx32 maybe active, Use a Rootkit scanner!
Rootkit msguard maybe active, Use a Rootkit scanner!
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes :
C:\Documents and Settings\Claire\SendTo\prf24.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL0583.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL0779.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL1372.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL2405.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL2546.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL2561.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL3268.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL3438.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL3755.tmp
C:\Documents and Settings\Rachel\Application Data\Microsoft\Word\~WRL3897.tmp
C:\Documents and Settings\Rachel\Local Settings\prf6B.tmp
C:\Documents and Settings\Sue\Local Settings\prfA5.tmp
Add/Remove Programs List:
3D-Mouse
ABBYY FineReader 4.0 Sprint
Ad-Aware SE Personal
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free Edition
C-Media WDM Audio Driver
cahoot webcard
CART Precision Racing
CCleaner (remove only)
Create your own Model Railway
Dia (remove only)
Ducati
Microsoft Flight Simulator 98
HijackThis 1.99.1
Microsoft Greetings
Theme Hospital
iTunes
Lexmark Fax Solutions
QuickTime
IsoBuster 1.5
Java Servlet Development Kit 2.0
LEGOLAND
Lexmark P910 Series
LimeWire 4.8.1
Macromedia Shockwave Player
MessengerSkinner
Microsoft .NET Framework 2.0
Microsoft AutoRoute Express Europe 98
Monopoly
Microsoft Monster Truck Madness
Mozilla Firefox (2.0.0.2)
MSN
Mustek 1200 UB Plus v2.0
NingPo MahJong Deluxe 1.04
Prevx1
RealPlayer
Route Planner 1.1
Adobe Flash Player 9 ActiveX
SiSoftware Sandra Lite 2005.SR3 (Win64/32/CE)
SiSoftware Sandra Professional 2005 (Win64/32/CE)
Spybot - Search & Destroy 1.4
Swat It Trojan & Bot Remover - Version 1.0
SimTheme Park
Ulead Photo Express 3.0 SE
VideoLAN VLC media player 0.8.1
WebCam Instant Product Registration
The GIMP 2.2.13
GTK+ 2.10.6-1 runtime environment
WinZip
ZoneAlarm
Zoo Tycoon: Complete Collection
Microsoft Office 2000 Premium
The Sims 2 University
PIF DESIGNER2.1
ATI Control Panel
Windows Live Sign-in Assistant
J2SE Runtime Environment 5.0 Update 10
Google Earth
ATI HydraVision
The Sims 2 Pets
SAGEM F@st800
iTunes
Windows Genuine Advantage v1.3.0254.0
PowerDVD
The Sims 2 Family Fun Stuff
The Sims 2
Microsoft .NET Framework 2.0
Lexmark Fax Solutions
The Sims 2 Open For Business
Cars - Radiator Springs Adventures
Easy CD Creator 5 Platinum
Microsoft LifeCam
OpenOffice.org 2.0
Adobe Reader 7.0.9
QuickTime
ScanToWeb
The Sims 2 Nightlife
Windows Live Messenger
Finished
Hijack This to follow
Cavalier90
03-09-2007, 03:12 PM
Logfile of HijackThis v1.99.1
Scan saved at 19:11:31, on 09/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\cahoot webcard\CahootWebcard.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark P910 Series\lxbymon.exe
C:\Program Files\Lexmark P910 Series\ezprint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\lxbycoms.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
D:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index_first.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\WINDOWS\cgmopenbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Orbiscom - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\system32\SlimBho2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CahootWebcard] d:\Program Files\cahoot webcard\CahootWebcard.exe /dontopenmycards
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [dbsweilhxp] c:\windows\system32\dbsweilhxp.exe dbsweilhxp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rachel\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Budfred
03-09-2007, 05:21 PM
Okay, that is NOT good... Try the F-Secure scan again, maybe it will run now that some of the dreck is gone...
I am going to be at a conference for most of the next week and will not have my tools with me... I will check in and comment when I can, but someone else may need to step in with some other tools...
If F-Secure doesn't work, run this scan and post the log... :
http://www.gmer.net/files.php
Cavalier90
03-09-2007, 08:29 PM
Scanning Report
Friday, March 09, 2007 23:26:02 - 00:21:36
Result: 1 malware found
Tracking Cookie (spyware)
* System (Disinfected)
Statistics
Scanned:
* Files: 35302
* System: 4154
* Not scanned: 3
Actions:
* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0
Files not scanned:
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* D:\PAGEFILE.SYS
Options
Scanning engines:
* F-Secure Libra: 2.4.2, 2007-03-08
* F-Secure AVP: 7.0.171, 2007-03-09
* F-Secure Orion: 1.2.37, 2007-03-09
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Pegasus: 1.19.0, 2007-02-05
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics
Cavalier90
03-09-2007, 08:55 PM
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-10 00:51:23
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys
Cavalier90
03-09-2007, 08:58 PM
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys
Cavalier90
03-09-2007, 08:59 PM
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT pxfsf.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
Cavalier90
03-09-2007, 09:01 PM
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory
Cavalier90
03-09-2007, 09:02 PM
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!_abnormal_termination + D4 804E2730 24 Bytes [ 79, F8, 3A, F7, 83, F8, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 16 Bytes [ D0, 80, AD, ED, BF, F8, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, AD, ED, E0, 6E, AD, ... ]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2770 28 Bytes [ D0, A6, AD, ED, 05, F9, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ A5, F9, 3A, F7, E0, 93, AD, ... ]
.text ...
? srescan.sys The system cannot find the file specified.
.text ntoskrnl.exe!_abnormal_termination + D4 804E2730 24 Bytes [ 79, F8, 3A, F7, 83, F8, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 16 Bytes [ D0, 80, AD, ED, BF, F8, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, AD, ED, E0, 6E, AD, ... ]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2770 28 Bytes [ D0, A6, AD, ED, 05, F9, 3A, ... ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ A5, F9, 3A, F7, E0, 93, AD, ... ]
.text ...
Cavalier90
03-09-2007, 09:04 PM
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EDAE22A0] vsdatant.sys
Cavalier90
03-09-2007, 09:04 PM
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EDAE22A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EDAE22A0] vsdatant.sys
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\Rachel\Local Settings\Application Data\Microsoft\Messenger\doggydude32@hotmail.com\S haringMetadata\amezy01@hotmail.co.uk\DFSR\Staging\ CS{C5448F5E-48D2-A545-5D5B-DC6D45FD9D96}\01\10-{C5448F5E-48D2-A545-5D5B-DC6D45FD9D96}-v1-{2FD8A819-E7DE-4527-BE7F-059BF6DF2232}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
---- EOF - GMER 1.0.12 ----
Cavalier90
03-09-2007, 09:20 PM
I posted the Rootkit part of the displays from GMER as that is what came up after the scan. The log tab did not have anything in it to copy. Is this of any use? I realise rootkits are good hiding places for malicious ware, but I presume GMER only reports on the content but does not correct it. There were other reports on processes running and autostart, but I have not posted them as they seem to be very large files. If they are needed I will create them again and post them here.
Thanks Budfred for your help, and enjoy your conference. I hope it is somewhere nice.
Does anyone else want to take over resolving my problem? If the consensus is to reinstall Windows, that is what I will do if fixing the problem is going to take too much of people's time.
Budfred
03-10-2007, 01:30 AM
It is not so much a matter of time as it is that once it looks like you have a rootkit, there is no way to be really certain that it is gone without the wipe and reinstall...
I don't have the resources with me or sufficient experience with Gmer logs to analyze what you have posted at this point... Hopefully someone else will be able to take a look at it while I am less available...
Cavalier90
03-10-2007, 08:00 PM
I've re-installed Windows, so problem should be over.
Thanks for your help Budfred.
Budfred
03-10-2007, 11:58 PM
Did you wipe the hard drive first and then repartition and reinstall... If you didn't, you may still not be safe...
Cavalier90
03-14-2007, 05:56 AM
...I did. The disk was totally reformatted then re-partitioned. All seems OK at the moment and my daughter has been warned about some of the sites she has been visiting.
Budfred
03-14-2007, 11:00 AM
I am at a conference where a lot of the security issues are being addressed and one of the things that people keep saying over and over is to create a Standard User to actually go on the net and only use the Admin account to do things like installing software... If you do that for your daughter, along with some good protective software, there is a much better chance the computer won't be infected... Also, I hope you took the comments about changing financial info seriously... The criminals who create this garbage would have no hesitation to ruin you financially...
Cavalier90
03-14-2007, 08:25 PM
Yes I changed the passwords, but have not changed accounts yet. I'll get that bit sorted next.
Thanks again.
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.