Possibly..
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button.
Post both the logs here.
Hi! Infected with virus. Please help
Hi!
I started having problems with my computer when a friend sent a file through MSN Messenger, and after I accepted and opened it my instant messenging starting going nuts. My computer is now running very slowly, and oftenly opening up an annoying windows offering antivirus softwares.
Can you help me please?
Thank you kindly in advance!
Algis
Hi Gerbil,
Thank you in advance for your help.
I downloaded the Smitfraudfix, extracted to my desktop, opened the Smitfraudfix folder, double clicked on smitfraudfix.cmd, and a black box opened up. However, it doesn't allow me to type 1 and enter as you instructed. After about 30 or 40 seconds, the box turns red and says
Process.exe file missing! Unzip all the archive in a folder.
Did I miss something?
Thanks Gerbil
Try downloading another copy... extract ALL the files to your desktop or a scratch directory.... double-click smitfraudfix.cmd - it should run, I just did a fresh dl and tested it for you.
Possibly..
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button.
Post both the logs here.
SmitFraudFix v2.226
Scan done at 20:25:32.68, Thu 09/20/2007
Run from D:\Documents and Settings\Algis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
C:\Gizmo Project\mDNSResponder.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Gizmo Project\Gizmo.exe
D:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» D:\
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Algis
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Algis\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Algis\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: 3Com 3C900B-TPO Ethernet Adapter (Generic) - Packet Scheduler Miniport
DNS Server Search Order: 200.118.2.66
DNS Server Search Order: 200.118.2.18
DNS Server Search Order: 200.118.2.85
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45D50747-CE5D-492D-9C07-CAF2CCCE8355}: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45D50747-CE5D-492D-9C07-CAF2CCCE8355}: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
HKLM\SYSTEM\CS3\Services\Tcpip\..\{45D50747-CE5D-492D-9C07-CAF2CCCE8355}: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=200.118.2.66 200.118.2.18 200.118.2.85
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
-Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:42 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
C:\Gizmo Project\mDNSResponder.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\NavNT\vptray.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Gizmo Project\Gizmo.exe
D:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - D:\WINDOWS\system32\ddcbxyv.dll
O2 - BHO: (no name) - {E93506F3-6051-4B94-A7DC-8C3367B20F59} - D:\WINDOWS\system32\yabcy.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
O4 - HKLM\..\Run: [ngrkep] d:\windows\system32\ngrkep.exe
O4 - HKLM\..\Run: [PaciSoft] D:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] D:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] D:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [D:\WINDOWS\IEXPLOR.EXE] D:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] D:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [7FoX33l] chkisn.exe
O4 - HKLM\..\Run: [pze] D:\Program Files\prpo\ishxpb.exe
O4 - HKLM\..\Run: [hzmfzpwrxrtysdeutseva] D:\WINDOWS\zrdpktfo.exe
O4 - HKLM\..\Run: [D:\WINDOWS\WinTask.exe] D:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [ctmpsd] D:\WINDOWS\ctmpsd.exe
O4 - HKLM\..\Run: [AutoLoader7s7r1NYWJdXZ] "D:\WINDOWS\system32\chkisn.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Gizmo Project] "C:\Gizmo Project\Gizmo.exe"
O4 - HKLM\..\Run: [Windows Lsass Services] D:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [Salestart] "D:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "D:\WINDOWS\system32\isnaismi.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mo77RTJ2S] wshprbda.exe
O4 - HKCU\..\Policies\Explorer\Run: [qdxcuo.exe] D:\WINDOWS\system\qdxcuo.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\lvj6091se.dll (file missing)
O20 - Winlogon Notify: ddcbxyv - D:\WINDOWS\SYSTEM32\ddcbxyv.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Gizmo Project\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
--
End of file - 5608 bytes
Errrk!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post
that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your
desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log.
I did have a vundo, but now my computer is slowed down drastically because of iexplore.exe or svchosts.exe because there are 5 of them. I have sometimes 80% usage of iexplore.exe with just 1 or no IE windows open.
here is my log
please HELP
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:36 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ybag\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 5082 bytes
Errrk!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - postthat log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable yourdesktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log.
Hi Gerbil!
Wow, it's been some work but I believe I'm making some progress...
Here are the logs you asked me for:
VundoFix V6.5.8
Checking Java version...
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 1:45:16 AM 9/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
Beginning removal...
VundoFix V6.5.8
Checking Java version...
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 2:13:44 AM 9/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
ComboFix 07-09-20.1 - "Algis" 2007-09-21 2:49:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.123 [GMT -5:00]
Script execution time was exceeded on script "D:\ComboFix\restore_pt.vbs".
Script execution was terminated.
. ADS - svchost.exe: deleted 68 bytes in 1 streams.
(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{F9E78894-A77F-48E3-8C29-37A21D9B0645}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9E78894-A77F-48E3-8C29-37A21D9B0645}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9E78894-A77F-48E3-8C29-37A21D9B0645}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9E78894-A77F-48E3-8C29-37A21D9B0645}\InprocServer32]
@="D:\\WINDOWS\\system32\\tipelib.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Granting SeDebugPrivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\DOCUME~1\Algis\APPLIC~1\WinAntiSpyware 2007
D:\DOCUME~1\Algis\APPLIC~1\WinAntiSpyware 2007 Free
D:\DOCUME~1\Algis\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
D:\DOCUME~1\Algis\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
D:\DOCUME~1\Algis\APPLIC~1\winantispyware2007freeinstall[1].exe
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
D:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
D:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
D:\Program Files\Common Files\winantispyware 2007
D:\Program Files\Common Files\winantispyware 2007\err.log
D:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
D:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\ddcbxyv.dll
D:\WINDOWS\system32\drivers\fopn.sys
D:\WINDOWS\system32\khfefee.dll
D:\WINDOWS\system32\yabcy.dll
D:\WINDOWS\system32\ycbay.bak1
D:\WINDOWS\system32\ycbay.bak2
D:\WINDOWS\system32\ycbay.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_FOPN
-------\ApiMon
((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.
2007-09-21 02:45 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-09-21 01:45 d-------- D:\VundoFix Backups
2007-09-21 01:39 d-------- D:\WINDOWS\pss
2007-09-20 20:44 401,720 --a------ D:\Program Files\imabunny.exe
2007-09-20 20:26 4,112 --a------ D:\WINDOWS\system32\tmp.reg
2007-09-20 20:24 53,248 --a------ D:\WINDOWS\system32\Process.exe
2007-09-20 20:24 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
2007-09-20 20:24 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2007-09-20 20:24 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2007-09-20 19:29 83,008 --a------ D:\WINDOWS\system32\isnaismi.dll
2007-09-18 23:03 d-------- D:\Plugins
2007-09-18 22:58 d-------- D:\QuickTimePlayer.Resources
2007-09-18 22:55 d-------- D:\PictureViewer.Resources
2007-09-18 22:53 d-------- D:\QTSystem
2007-09-18 22:53 d-------- D:\QTComponents
2007-09-18 22:53 d-------- D:\PropertyPanels
2007-09-18 22:50 d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-05 00:55 d-------- D:\Program Files\Virtual Earth 3D
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 20:54 5609 --a------ D:\Program Files\hijackthis.log
2007-09-18 22:50 --------- d-------- D:\Program Files\Apple Software Update
2007-09-18 22:08 --------- d-------- D:\Program Files\Common Files\Real
2007-09-18 22:04 --------- d-------- D:\DOCUME~1\Algis\APPLIC~1\Real
2007-09-12 18:28 --------- d-------- D:\Program Files\MSN Messenger
2007-06-29 06:25 749568 --a------ D:\QTOControl.dll
2007-06-29 06:25 684032 --a------ D:\QTOLibrary.dll
2007-06-29 06:25 618496 --a------ D:\QTInfo.exe
2007-06-29 06:25 6124864 --a------ D:\QuickTimePlayer.exe
2007-06-29 06:25 303104 --a------ D:\QTUIPanelControl.dll
2007-06-29 06:24 483328 --a------ D:\PictureViewer.exe
2007-06-29 06:24 286720 --a------ D:\QTTask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="D:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"PrinTray"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 12:32]
"Mqjehc"="C:\Program Files\Ydvq\Pyywyd.exe" []
"ngrkep"="d:\windows\system32\ngrkep.exe" []
"PaciSoft"="D:\WINDOWS\system32\pacis.exe" []
"exp.exe"="D:\WINDOWS\system32\exp.exe" []
"D:\WINDOWS\IEXPLOR.EXE"="D:\WINDOWS\IEXPLOR.EXE" []
"AtxBrw"="D:\WINDOWS\IEXPLOR.exe" []
"7FoX33l"="chkisn.exe" []
"pze"="D:\Program Files\prpo\ishxpb.exe" []
"hzmfzpwrxrtysdeutseva"="D:\WINDOWS\zrdpktfo.exe" []
"D:\WINDOWS\WinTask.exe"="D:\WINDOWS\WinTask.exe" []
"ctmpsd"="D:\WINDOWS\ctmpsd.exe" []
"AutoLoader7s7r1NYWJdXZ"="D:\WINDOWS\system32\chkisn.exe" []
"Ink Monitor"="D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 09:54]
"EPSON Stylus C67 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.exe" [2005-01-24 23:00]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Gizmo Project"="C:\Gizmo Project\Gizmo.exe" [2007-06-15 17:00]
"Windows Lsass Services"="D:\WINDOWS\system\lsass.exe" []
"QuickTime Task"="D:\QTTask.exe" [2007-06-29 06:24]
"SearchIndexer"="D:\WINDOWS\system32\isnaismi.dll" [2007-09-20 19:29]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Mo77RTJ2S"="wshprbda.exe" []
"eyeBeam SIP Client"="" []
R1 lusbaudio;Logitech USB Microphone;D:\WINDOWS\system32\drivers\OVSound2.sys
R3 mgau;mgau;D:\WINDOWS\system32\DRIVERS\mgaum.sys
R3 QCEmerald;Logitech QuickCam Web;D:\WINDOWS\system32\DRIVERS\OVCE.sys
S3 AvFlt;Antivirus Filter Driver;D:\WINDOWS\system32\drivers\av5flt.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 03:51:10 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 03:10:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D:\\WINDOWS\\IEXPLOR.EXE"="D:\\WINDOWS\\IEXPLOR.EXE"
"D:\\WINDOWS\\WinTask.exe"="D:\\WINDOWS\\WinTask.exe"
.
Completion time: 2007-09-21 3:14:40 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-09-21 03:14
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:54 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
C:\Gizmo Project\mDNSResponder.exe
D:\Program Files\NavNT\vptray.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\NavNT\defwatch.exe
C:\Gizmo Project\Gizmo.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
O4 - HKLM\..\Run: [ngrkep] d:\windows\system32\ngrkep.exe
O4 - HKLM\..\Run: [PaciSoft] D:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] D:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [D:\WINDOWS\IEXPLOR.EXE] D:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] D:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [7FoX33l] chkisn.exe
O4 - HKLM\..\Run: [pze] D:\Program Files\prpo\ishxpb.exe
O4 - HKLM\..\Run: [hzmfzpwrxrtysdeutseva] D:\WINDOWS\zrdpktfo.exe
O4 - HKLM\..\Run: [D:\WINDOWS\WinTask.exe] D:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [ctmpsd] D:\WINDOWS\ctmpsd.exe
O4 - HKLM\..\Run: [AutoLoader7s7r1NYWJdXZ] "D:\WINDOWS\system32\chkisn.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Gizmo Project] "C:\Gizmo Project\Gizmo.exe"
O4 - HKLM\..\Run: [Windows Lsass Services] D:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "D:\WINDOWS\system32\isnaismi.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mo77RTJ2S] wshprbda.exe
O4 - HKCU\..\Policies\Explorer\Run: [qdxcuo.exe] D:\WINDOWS\system\qdxcuo.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Gizmo Project\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
--
End of file - 4943 bytes
Thanks
Oh dear...
pately, please do not post in another's thread, you risk getting little or no attention, and it is just plain confusing at times.
Algis, sorry about that earlier post "I must see those vundofix and combofix logs!! Please!" - things do, of course, go mostly at the pace you decide normally, it was that intervening log of pately's that threw me - suddenly I was seeing a different computer.... anyway my impatient-sounding post was because of that and me doing other work.
I shall remind you of this later, now is not the time to update your Java but please now do go into CP > add/remove pgms and remove all the oldest versions of Java, keep only the latest [which is out of date!].
I note that Vundofix failed to run correctly... Combofix detected and cleaned some vundo files. Please delete C:\vundofix.txt and your copy of vundofix.exe.
Combofix also struggled. I just tested it on my pc - it took less than 3 minutes to complete, but my sys is clean.... Please delete combofix.txt and combofix.exe.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip -unzip it to your desktop.
You must be in an Administrator-privileged account to run this procedure...
Okay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
O4 - HKLM\..\Run: [ngrkep] d:\windows\system32\ngrkep.exe
O4 - HKLM\..\Run: [PaciSoft] D:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] D:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [D:\WINDOWS\IEXPLOR.EXE] D:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] D:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [7FoX33l] chkisn.exe
O4 - HKLM\..\Run: [pze] D:\Program Files\prpo\ishxpb.exe
O4 - HKLM\..\Run: [hzmfzpwrxrtysdeutseva] D:\WINDOWS\zrdpktfo.exe
O4 - HKLM\..\Run: [D:\WINDOWS\WinTask.exe] D:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [ctmpsd] D:\WINDOWS\ctmpsd.exe
O4 - HKLM\..\Run: [AutoLoader7s7r1NYWJdXZ] "D:\WINDOWS\system32\chkisn.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Windows Lsass Services] D:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "D:\WINDOWS\system32\isnaismi.dll",sitypnow
O4 - HKCU\..\Run: [Mo77RTJ2S] wshprbda.exe
O4 - HKCU\..\Policies\Explorer\Run: [qdxcuo.exe] D:\WINDOWS\system\qdxcuo.exe
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
Good. Start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block ALL the text between the lines:-
_____________________________________
Files to delete:
C:\Program Files\Ydvq\Pyywyd.exe
d:\windows\system32\ngrkep.exe
D:\WINDOWS\system32\pacis.exe
D:\WINDOWS\system32\exp.exe
D:\WINDOWS\IEXPLOR.EXE
D:\Program Files\prpo\ishxpb.exe
D:\WINDOWS\zrdpktfo.exe
D:\WINDOWS\WinTask.exe
D:\WINDOWS\ctmpsd.exe
D:\WINDOWS\system32\chkisn.exe
D:\WINDOWS\system32\wshprbda.exe
D:\WINDOWS\wshprbda.exe
D:\WINDOWS\system\qdxcuo.exe
Folders to delete:
C:\Program Files\Ydvq
D:\Program Files\prpo
__________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
Because of the problems I noted above I would like you to do these next things also:
First, clean:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Next, run one of these two rootkit scans, both if you wish... and post any positive results. Do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.
And finally scan for malware with one of these two:
==Pandasoftware ActiveScan using IE only from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address... To reduce the number of detections run either CCleaner or ATF cleaner first [to remove cookies].
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
Please post the Avenger, rootkit and online scan logs and a fresh hijackthis log file.
