 |  |  |  |  |  |  |  |
Look At My Log, Please
 |
Can someone please help me clean up spyware? Crunchie, Gerbil? Anyone? You all are so great! Thanks in advance for any advice!
Logfile of HijackThis v1.99.1
Scan saved at 7:43:10 PM, on 7/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1184035090031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1184034946421
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
Logfile of HijackThis v1.99.1
Scan saved at 7:43:10 PM, on 7/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1184035090031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1184034946421
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
What a brazen come-on!! 
K... a couple of things there, let's move em out.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
Good. Now go Start, run, type cmd and press Enter; type or paste into the window:
sc delete msupdate
-press Enter and close the window.
-browse to and delete c:\windows\system32\msvcrtd.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/...i-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file.
Post the log file plus that from Fixwareout and a fresh Hijackthis log.
K... a couple of things there, let's move em out.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
Good. Now go Start, run, type cmd and press Enter; type or paste into the window:
sc delete msupdate
-press Enter and close the window.
-browse to and delete c:\windows\system32\msvcrtd.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/...i-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file.
Post the log file plus that from Fixwareout and a fresh Hijackthis log.
Deep, deep in the woods, but walking about.
Well, I had to get your attention somehow! ;o). Thought the subject title might do the trick!
I just wanted to mention that I am a regular user of HiJackThis!, Spybot, and AdAware. I've been a member here since my own PC got infected quite some time ago. Crunchie helped me through that time. This is my son's PC and I haven't been able to keep tabs on it, seeing as he is living with his dad currently. He is here for a visit. Anyway, I try to stay up to date and stay familiar with what is on my PC. Which I feel is probably important. Thanks so much for your help so far!!
Ok, I have MSN dialup. When I rclick Network Connections and select properties, I only have an "Advanced" tab with Firewall options. How to obtain DNS servers automatically? Should I move on with the next steps or wait to thoroughly complete all steps?
Well, I moved on.
Next... Flushed DNS cache w/ cmd "ipconfig /flushdns".
Fixed checked entries on HiJackThis.
Did cmd "sc delete msupdate"
Browsed to and deleted c:\windows\system32\msvcrtd.exe
Dwnloaded and ran CCleaner.
Dwnloaded and ran AVG.
(I'm scared I got infected more while online dwnloading AVG.)
Here's the fresh Logs. (Gulp! Yikes!)
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:19:41 PM 7/11/2007
+ Scan result:
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000224.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000256.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000411.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001001.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001858.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002005.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002757.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002826.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002871.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003428.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003681.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004709.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005672.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007863.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008019.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008468.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008469.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003468.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003654.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1AHJDBXB\loadadv735[1].exe -> Dropper.Small.ayg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000243.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001004.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001859.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0001916.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002006.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002758.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002827.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002872.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003443.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003683.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004711.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005674.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007689.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007865.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008295.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008365.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008647.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008679.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009677.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009723.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0010021.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0012496.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003395.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003444.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003653.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003678.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004687.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004712.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005669.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005675.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007837.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007864.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
::Report end::
>>>>Username "Owner" - 2007-07-11 19:04:44 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"lanmanwrk.exe"="C:\\WINDOWS\\System32\\lanmanwrk.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ttool"="C:\\WINDOWS\\9129837.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Logfile of HijackThis v1.99.1
Scan saved at 9:28:40 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\qmhoepkf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184036016312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
I just wanted to mention that I am a regular user of HiJackThis!, Spybot, and AdAware. I've been a member here since my own PC got infected quite some time ago. Crunchie helped me through that time. This is my son's PC and I haven't been able to keep tabs on it, seeing as he is living with his dad currently. He is here for a visit. Anyway, I try to stay up to date and stay familiar with what is on my PC. Which I feel is probably important. Thanks so much for your help so far!!
Ok, I have MSN dialup. When I rclick Network Connections and select properties, I only have an "Advanced" tab with Firewall options. How to obtain DNS servers automatically? Should I move on with the next steps or wait to thoroughly complete all steps?
Well, I moved on.
Next... Flushed DNS cache w/ cmd "ipconfig /flushdns".
Fixed checked entries on HiJackThis.
Did cmd "sc delete msupdate"
Browsed to and deleted c:\windows\system32\msvcrtd.exe
Dwnloaded and ran CCleaner.
Dwnloaded and ran AVG.
(I'm scared I got infected more while online dwnloading AVG.)
Here's the fresh Logs. (Gulp! Yikes!)
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:19:41 PM 7/11/2007
+ Scan result:
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000224.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000256.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000411.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001001.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001858.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002005.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002757.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002826.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002871.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003428.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003681.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004709.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005672.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007863.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008019.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008468.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008469.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003468.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003654.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1AHJDBXB\loadadv735[1].exe -> Dropper.Small.ayg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000243.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001004.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001859.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0001916.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002006.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002758.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002827.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002872.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003443.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003683.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004711.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005674.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007689.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007865.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008295.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008365.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008647.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008679.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009677.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009723.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0010021.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0012496.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003395.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003444.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003653.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003678.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004687.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004712.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005669.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005675.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007837.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007864.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
::Report end::
>>>>Username "Owner" - 2007-07-11 19:04:44 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"lanmanwrk.exe"="C:\\WINDOWS\\System32\\lanmanwrk.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ttool"="C:\\WINDOWS\\9129837.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Logfile of HijackThis v1.99.1
Scan saved at 9:28:40 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\qmhoepkf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184036016312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Hi, heidi. Infection possibility while using AVG site: not likely, as long as you have Windows firewall ON.
And yikes! is right..... what a log. When this is over you are going to install an AV and a proper firewall, aren't you...? Right after you update to SP2... on dialup tho I think I would contact M$ and get the CD - it is only a $ or two to cover their basic costs. If you don't do those things their is every chance you will remain a regular visitor here.
Right, for now fix these entries with hijackthis:
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing
Delete these files:
C:\WINDOWS\System32\qmhoepkf.exe
C:\WINDOWS\System32\lanmanwrk.exe
Run these lines:
sc delete MSDisk
sc delete MSWindows
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
==Run CCleaner again.
Do a Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Change the name hijackthis.exe to imabunny.exe and post a fresh scan also.
And yikes! is right..... what a log. When this is over you are going to install an AV and a proper firewall, aren't you...? Right after you update to SP2... on dialup tho I think I would contact M$ and get the CD - it is only a $ or two to cover their basic costs. If you don't do those things their is every chance you will remain a regular visitor here.
Right, for now fix these entries with hijackthis:
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing
Delete these files:
C:\WINDOWS\System32\qmhoepkf.exe
C:\WINDOWS\System32\lanmanwrk.exe
Run these lines:
sc delete MSDisk
sc delete MSWindows
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
==Run CCleaner again.
Do a Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Change the name hijackthis.exe to imabunny.exe and post a fresh scan also.
Last edited by gerbil; Jul 12th, 2007 at 2:39 am.
Deep, deep in the woods, but walking about.
Ok, This is getting tricky. Panda scan is STILL scanning. I think the infection is respreading itself as I'm online doing the above mentioned tasks. (not from AVG website)
Anyway. VundoFix found no infections.
I'm looking around through my different folders and I noticed quite a few ".com" files in my "Windows/System32" folder.
chcp.com
command.com
diskcomp.com
diskcopy.com
edit.com
format.com
graftable.com
graphics.com
kb16.com
loadfix.com
mode.com
more.com
tree.com
win.com
Are these supposed to be there. All modified at the same date and almost exact time.
Also these keep popping up in C:\
tuto.exe
d.exe
I keep deleting them. I know they are a problem.
AVG said it found Dropper.Small.ayg, rootkitagent, backdooragent, and trojan agent. it quaranteened them all, but then it kept saying it found it. So I clicked "Remove Finally" on them.
Now what should I do?
PandaScan is still at 75%. I'll post the log from that as soon as it finishes.
Anyway. VundoFix found no infections.
I'm looking around through my different folders and I noticed quite a few ".com" files in my "Windows/System32" folder.
chcp.com
command.com
diskcomp.com
diskcopy.com
edit.com
format.com
graftable.com
graphics.com
kb16.com
loadfix.com
mode.com
more.com
tree.com
win.com
Are these supposed to be there. All modified at the same date and almost exact time.
Also these keep popping up in C:\
tuto.exe
d.exe
I keep deleting them. I know they are a problem.
AVG said it found Dropper.Small.ayg, rootkitagent, backdooragent, and trojan agent. it quaranteened them all, but then it kept saying it found it. So I clicked "Remove Finally" on them.
Now what should I do?
PandaScan is still at 75%. I'll post the log from that as soon as it finishes.
OK, this sucks!
Finally PandaScan finished updating and I chose to scan My Computer. It starts the scan, detects a virus, fixes it, proceeds to scan and then my browser disappears and I start the whole process over. This has happened 5 times now! I keep running CCleaner, Fixwareout, AVG, HiJackThis.
What should I do now?
::::Here is a log of HijackThis. Renamed "ImABunny":::::
Logfile of HijackThis v1.99.1
Scan saved at 2:59:22 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\ImABunny.exe
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184036016312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
::::FixWareOut Log::::
Username "Owner" - 2007-07-12 14:46:02 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Finally PandaScan finished updating and I chose to scan My Computer. It starts the scan, detects a virus, fixes it, proceeds to scan and then my browser disappears and I start the whole process over. This has happened 5 times now! I keep running CCleaner, Fixwareout, AVG, HiJackThis.
What should I do now?
::::Here is a log of HijackThis. Renamed "ImABunny":::::
Logfile of HijackThis v1.99.1
Scan saved at 2:59:22 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\ImABunny.exe
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184036016312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
::::FixWareOut Log::::
Username "Owner" - 2007-07-12 14:46:02 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Oh, heidi... Right. For a start, hijackthis is only a reporting tool, it does not repair anything unless set to do so. The first group of files, the .com ones, are MSDOS files for when XP runs DOS in an emulation environment. But they should have an old date, maybe 2004? If it is recent then there is a trojan which attacks .com files in system32, and it runs under the name of d.exe - could be your variant, may not be. AVG AS should have found it, combofix may.
Your Fixwareout run failed, I see that it did not list one TCPip entry - it is targeted by some malware. Delete your tool, and get a fresh copy and try it:
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start ...
Empty the AVG quarantine bin: select all and delete. Oh, you did.
Get hold of and runCombofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
AVG AS - I am not convinced it is working properly - that result scan looks strange. I would uninstall it, dl a fresh copy, update it and try a fresh scan, but in Safe mode.
Then persist with Panda - you could run that in safe mode with Networking. It gets broken sometimes, but it is fixing things the while.
It may come down to accepting that you have a bad series of infections, saving important files to CD, DVD, and reinstalling after a format.
- could be your variant, may not be. AVG AS should have found it, combofix may.Your Fixwareout run failed, I see that it did not list one TCPip entry - it is targeted by some malware. Delete your tool, and get a fresh copy and try it:
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start ...
Empty the AVG quarantine bin: select all and delete. Oh, you did.
Get hold of and runCombofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
AVG AS - I am not convinced it is working properly - that result scan looks strange. I would uninstall it, dl a fresh copy, update it and try a fresh scan, but in Safe mode.
Then persist with Panda - you could run that in safe mode with Networking. It gets broken sometimes, but it is fixing things the while.
It may come down to accepting that you have a bad series of infections, saving important files to CD, DVD, and reinstalling after a format.
Deep, deep in the woods, but walking about.
•
•
•
•
Originally Posted by gerbil 
It may come down to accepting that you have a bad series of infections, saving important files to CD, DVD, and reinstalling after a format.
But, will reformatting really take care of the problem completely? Any info you can give me about reformatting would be GREAT! The only info my son really wants to save is his ripped music (some of his cds are severely scratched, so he can't re-rip). But even then....the computer is all F'd up anyway. Half of the programs need reinstalled, some of them can't unistall or delete. There are double folders in c:/documents and settings (Admin.6024blah blah, Admin.1143, All Users, All Users.Windows, Default User, Default User.Windows, etc., etc.) because I reinstalled. I found a site describing how to remedy this problem by cut/paste folders into each other to consolidate, but I don't even want to bother. My son is here for 3 more weeks, and I'd like to get this computer fixed before he goes back to his dad's.
I'll just need to learn myself about reformatting, partitions, boot drives, etc. I don't fully grasp some aspects of these, yet. I thought I read somewhere that you can't reformat the drive windows boots from or something like that. I really appreciate your help. I will keep trying to run Panda. I'll try safe mode and keep you posted. Now HiJackThis keeps disappearing when I try to run it. AdAware and SpyBot still run.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Skip running fixwareout - log is fine from that aspect.. the O17 entry represents the DNS server that your ISP uses, and I should have been sharper on that, but at least the second run showed that a couple of trojan registry entries had been removed.
AVG found infections in several restore points, but those have all been removed now by that procedure of turning restore off/on.
Time to gve up on Panda, I think, for the time being. Try the two scans below and post any positive results. Do not use your computer while it scans.
But first, check for and delete [I think they will be missing]:
C:\\WINDOWS\9129837.exe
C:\\WINDOWS\hide_evr2.sys
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
If Kaspersky completes try another AVG AS scan.
[[Pretty much it is possible to invest too much time cleaning a machine. I'm keeping in mind that you are on dialup, but we should manage it. If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
"I read somewhere that you can't reformat the drive windows boots from...." - no, you cannot, but you can do it from windows setup when you reinstall...or with free 3rd party tools.
Yes, first you would copy out your son's music though, and any other valuable documents or pictures.]]
AVG found infections in several restore points, but those have all been removed now by that procedure of turning restore off/on.
Time to gve up on Panda, I think, for the time being. Try the two scans below and post any positive results. Do not use your computer while it scans.
But first, check for and delete [I think they will be missing]:
C:\\WINDOWS\9129837.exe
C:\\WINDOWS\hide_evr2.sys
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
If Kaspersky completes try another AVG AS scan.
[[Pretty much it is possible to invest too much time cleaning a machine. I'm keeping in mind that you are on dialup, but we should manage it. If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
"I read somewhere that you can't reformat the drive windows boots from...." - no, you cannot, but you can do it from windows setup when you reinstall...or with free 3rd party tools.
Yes, first you would copy out your son's music though, and any other valuable documents or pictures.]]
Deep, deep in the woods, but walking about.
•
•
•
•
Originally Posted by gerbil
If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
Looks like my only option at this point. Kids insisted on going on computer in between fixing it, (seeing as it was working a little.) I told 'em better not! All of a sudden, while mid-game, the computer restarted and is now stuck in infinite reboot pattern. I caught it in between one of the bootups and pressed F8. Tried to start in Safe Mode. Just kept restarting and restarting. So I pressed the off button and haven't tried to turn it on since. Nothing on it that is valuable. Can re-rip music, and game files........ Bah!
Thanks for all your help so far!
|
Similar Threads
- not able to log onto a machine on my network (Networking Hardware Configuration)
- Hijack this log - can't get rid of pop ups (Viruses, Spyware and other Nasties)
- HiJackThis-log for viewing - please help :-) (Viruses, Spyware and other Nasties)
- can't log in to windows 2000 after upgrade from win98 (Windows NT / 2000 / XP)
- Win 2K Pro Log in problem (Windows NT / 2000 / XP)
- Log Windows Messenger Service (Windows NT / 2000 / XP)
- HijackThis Log Help (Viruses, Spyware and other Nasties)
- VMWare Unrecoverable Error (*nix Software)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Need help with the Trojan vundo file ...
- Next Thread: Infected by an unknown virus
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday