kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
Hardware and Software
>
Microsoft Windows
>
Viruses, Spyware and other Nasties
>
CPU bogged down. Spyware/Malware?
Have something to say? Contribute New Article Reply to this Article CPU bogged down. Spyware/Malware?
My computer has recently been bogged down by what was at first a virus, and then a series of adware/malware programs that were (and some still are) running. I've gone through the "Fixes for Specific Infections" thread, as well as the "PC Cleaning Procedures & Detection Tools" thread, but I'm still having a huge delay in booting/shutting down the system, and unless I set priorities to my programs (Firefox, Explorer etc.) they take forever to load. I've had to disable IExplorer (Windows XP SP2) because I was getting popups for spyware/adware detectors all the time, which again slowed down my system. I'm not really sure what else I can do with this, as I've gone through the big threads (listed above) and haven't had full success.
I'm getting programs like ping.exe running always (with the address of C:\WINDOWS\system32\CROSOF~1\ping.exe and an extension of "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv running) and another one called jvaw~1.exe but I can't seem to remove them, no matter what I do.
Can anyone help me? Thanks in advance.
This is my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 11:43:21 PM, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\Desktop\HJT\HijackThis.exeR3 - URLSearchHook: (no name) - {0AA45C7C-98BD-B118-999D-E5FC5FF0BCE1} - C:\WINDOWS\system32\mchj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I also get a pop-up that says 'This action cannot be completed because the other program is busy. Choose "Switch To" to activate the busy program and correct the problem,' with a "Switch To..." and "Retry" button able to be pushed. I'm not sure if this is a Windows notification, or a 3rd party scam.
Any ideas?
Ping.exe is a valid process but jvaw~1.exe is not so lets get started.
First run HJT and check the following.
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
Close all other windows and click fix checked.
Reboot to safe mode by tapping the F8 key during startup.
Delete the following files and folders.
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\My Documents\??stem
C:\WINDOWS\system32\arpa.dll
C:\WINDOWS\SYSTEM32\JVAW~1.EXE
Reboot Normally and reply with any problems that still exist. Also post a new HJT log.
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
When I try to fix those entries in HJT I'm given an error pop-up:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: mmc.dll arpa.dll)
Error #5 - Invalid procedure call or argumentPlease email me at [email]merijn@spywareinfo.com[/email], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possibleWindows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
What do I do now?
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
When I moved the folder to C:\ drive and retried the fix, I got the same error.
I booted into SafeMode and was able to delete the "?ttrib.exe" file and the "??stem" folder (system\attrib.exe), but was unable to delete the arpa.dll file. It said that it was in use by another program. Also, the jvaw~1.exe file did not exist. I'm really confused now ...
Here's my new HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 1:31:35 AM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll rundll.dll mmc.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Ok download pocket killbox from here .
Run killbox and check the box that says delete files on reboot.
Then select the all files button.
Go to the folder icon and navagate to the apra.dll and TTrib~1.exe click ok. When you go to the drop down box you should see them there.
Close all other windows and click on the kill button.(red circle with white x) Killbox should reboot your computer. After its done post a new HJT log.
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
I can never find "TTRIB~1.EXE"! I deleted it in SafeMode once, but I've never been able to find it since (SafeMode or normal).
Here's the NEW log ...
Logfile of HijackThis v1.99.1
Scan saved at 11:44:43 PM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exeR3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
kylethedarkn-
Ping.exe is a valid process
Not when it's running from a folder named " C:\WINDOWS\system32\CROSOF~1", it isn't. :mrgreen: The entire "CROSOF~1" folder is bogus.
(Besides, the ping command normally sends only 4 ping requests and then quits; it's not a persistent process.)
I'vegot to log off and get some sleep right now, but from what I can see, you've dealing with PurityScan/OIN infection there.
-
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
Ok then lets do a couple things.
First download Ewido's Security Suite from here .Install ewido anti-malware
When installing, under "Additional Options" uncheck..Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful" )
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Once the updates are installed do the following:Open up Ewido
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
Reboot.
After rebooting run HJT and check the following if they are still there.
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Close all other windows and click fix checked.
Now scan the following file using Jotti's online scanner.
C:\WINDOWS\system32\dojuzf.dll
Reboot to safe mod and delete the following files and folders if existing.
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\WINDOWS\system32\CROSOF~1
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1
Reboot to Normal.
Post the Ewido log and the HJT log.
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
I ran ewido twice, because I couldn't delete 2 files. The second time I couldn't quarantine them. What can I do now?
Run 1:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:48:39 PM 01/07/2006
+ Scan result:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01IBOPUV\!update-3915[1].0000 -> Adware.ClickSpring : Cleaned.
C:\WINDOWS\Τasks\taskmgr.exe -> Adware.ClickSpring : Cleaned.
C:\!KillBox\arpa.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\__delete_on_reboot__a_r_p_a_._d_l_l_ -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\mmc.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\rundll.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\vlvpdabr.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\Оracle\wіnspool.exe -> Adware.PurityScan : Cleaned.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned.
[1016] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1084] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1164] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1356] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1632] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1764] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1804] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1836] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1936] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[2040] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[444] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[476] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[488] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[664] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[676] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[848] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[920] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\system32\fccaxuv.dll -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Family\Local Settings\Application Data\01f6d7c3.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\01f6d7c3.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TQR4T2R\!update-3895[1].0000 -> Downloader.PurityScan.co : Cleaned.
C:\WINDOWS\system32\regperf.exe -> Downloader.Zlob.vr : Cleaned.
C:\WINDOWS\system32\dcomcfg.exe -> Downloader.Zlob.vt : Cleaned.
:mozilla.212:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.51:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.52:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.53:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.65:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.66:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.78:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Family\Cookies\Family@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.90:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.92:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.96:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.97:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.117:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.118:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.119:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.120:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.161:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.100:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.105:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.106:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.107:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.222:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.75:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.76:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.181:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.21:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.141:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.142:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Family\Cookies\Family@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.125:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.165:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.166:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.167:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.168:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.169:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.170:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.171:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.172:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.233:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.234:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.235:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.18:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.19:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.20:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.34:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.191:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.192:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.71:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.72:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.73:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.221:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Xhit : Cleaned.
C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Cleaned.
[616] C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Error during cleaning.
::Report endRun 2:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:08:48 PM 01/07/2006
+ Scan result:
C:\WINDOWS\system32\__delete_on_reboot__a_r_p_a_._d_l_l_ -> Adware.PurityScan : Cleaned with backup (quarantined).
[1016] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1084] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1164] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1356] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1632] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1764] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1804] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1836] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1936] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[2040] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[444] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[476] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[488] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[664] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[676] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[848] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[920] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\system32\__delete_on_reboot__w_i_n_y_m_e_3_2_._d_l_l_ -> Trojan.Agent.vg : Cleaned with backup (quarantined).
[616] C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Error during cleaning.
::Report endI also ran HJT but I couldn't find any of those entries.
Logfile of HijackThis v1.99.1
Scan saved at 6:19:05 PM, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Upon rebooting in SafeMode, there were no folders "stem~1" or "crosof~1", and the "ping.exe" and "ttrib~1.exe" files weren't found. I did however, find "ping6.exe" in the System32 folder, and I noticed that in the Windows\Temp folder there were files called "Win1A.tmp", "Win1B.tmp" etc. Are these normal?
Thanks for all your help!
The reason the HJT lines weren't there is because you were in safe mode. Reboot to normal check and fix the HJT lines then reboot to safe mode run ewido and see if it deletes the apra.dll and the other thing.
If that doesn't work download Pocket killbox from here .
Open Killbox and select the delete on reboot option and click on all files.
Then click on the open folder symbol and navagate to the following.
C:\WINDOWS\system32\winyme32.dll
C:\WINDOWS\system32\arpa.dll
When you click on them press ok and then go to the next file.
Make sure that both files are located in the drop down box.
Now click on the kill button.(the red circle with a white x)
The computer should restart itself if it doesn't restart it manually.
Post the new HJT and ewido logs.
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
When I run HJT and I select the arpa.dll file, and only that file, I still get this error message:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll)
Error #5 - Invalid procedure call or argument
Please email me at [email]merijn@spywareinfo.com[/email], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
I think that did it! :D
Logfile of HijackThis v1.99.1
Scan saved at 11:31:02 PM, on 02/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
THANK YOU! THANK YOU! THANK YOU! :D:D:D
Your Welcome and if your not expiriencing any problems you can mark this thread as solved.(there should e a link at the top of the page)
kylethedarkn
A.K.A. The Laughing Man
Team Colleague
628 posts since May 2006
Reputation Points: 55
Solved Threads: 39
This question has already been solved
You
© 2012 DaniWeb® LLC
