Member Avatar for iggyvill

Hi, I am on my aunts computer. Trying to get rid of this Big Bad Virus. Idk how she got it but it really hard to get out. I downloaded nortan virus and that didn't even remove it after like 2 hours of scanning and deleting some trojans and stuff that were on it.

I looked the program up on google and found this website. A user had the same problem as me. This is what he said:

I was listening to songs when i was move to a website to download mp3 codec. Stupidly i didnt think and run the exe. It turn out to be a virus. Now I get stuff at my toolbar saying low cpu perfomance or halt error connection and when i click on it opens up internet explorer page where it look like windows security center and ask me to install some anti spy ware programs or it open a rapidscanner anti spy ware and ask for installment.

I get some a toolbox from the icon in toolbar saying "Your computer is infected" and then it ask me to use special anti spyware protection.
It also give me gay fetish sex and best bdsm porn icons on my desktop.
Someone please help me
.-- heres the link to the thread-- http://www.daniweb.com/forums/post714615.html
-------------------------------------------

I am currently on Safe Mode right now. I removed the nortan antivirus and I am scanning with Malwarebytes' Anti-Malware. I would follow the person who had the same problem as me but it might be different for me at the end.

If i try to go on regular boot.The Computer will start up. it will run the gay icon, along with rapid virus thing. and if i connect to the internet with normal boot it will auto download all these virus things.

  • 3 Contributors
  • 10 Replies
  • 224 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 10 Replies

Member Avatar for iggyvill

Btw i have my vista laptop right next to me. Also I have a 2gb flash drive with me if that helps to remove this nasty virus.

edit: while i am in safe mode with networking some virus's still come out. like ex. a pornovid setup thing trying to get me to install it. i click cancel everytime though

Member Avatar for jholland1964

Hi, can I ask why you removed the Norton Anti-virus program? This means you are no longer protected and since you all ready have infections this can mean that more will enter the computer as you are noting in this statement;

while i am in safe mode with networking some virus's still come out. like ex. a pornovid setup thing trying to get me to install it. i click cancel everytime though

I would advise that you immediately reinstall that Norton program. One thing you must realize is that NO anti-virus program will remove everything and many do not even touch trojans at all, this is why we recommend additional tools like MBA-M. You must either reinstall, update and enable the Norton program OR install another anti-virus program IMMEDIATELY.
If the Norton license is current I would recommend the reinstall of that one, if it is expired then install one of these;
Avast, Antivir and AVG are all good, all FREE. Pick one, download, install, update and enable. Update it often, scan with it weekly at least.

Stop the MBA-M scan. Turn off the computer. Disconnect the internet cord from the computer so that it cannot get online.
Reboot the computer in normal mode and then do the FULL SCAN with MBA-M.
Allow it to FIX EVERYTHING found.
Shut down the computer. Re-attach the internet cord. Reboot in normal mode and let us know what happens.

Member Avatar for iggyvill

the thing is. I cannot get on the computer if i turn it on regular. if i do i will log on and it will pop up with pls instal this and all this virus stuff will popup. and when i close it more popup. even if the internet is turned off.
I have mcafee. so I can install that. but the virus won't let me update it.

Member Avatar for jholland1964

But WHY did you Uninstall Norton?
Go ahead and run the MBA-M in safe mode WITHOUT networking. You DO NOT NEED to be ONLINE to run MBA-M or actually ANY cleaner unless it is an online antivirus program.
Fix everything found.
Reboot to NORMAL mode and then run a HJT scan and post both the MBA-M log and also the HJT log.
We really need to see HJT from Normal Mode.
Why did you Uninstall Norton I ask again.

Member Avatar for iggyvill

oh ok. I uninstalled Nortan because when i start it up regular Nortan won't work. Only in safe mode it will.I think the virus it making it not work. but idk . im a noobie to this :3

Member Avatar for jholland1964

Ok. I understand. You do need an anti-virus program on there. Go with either the Norton or one of those free ones. The McAfee is a paid program and she would have to pay to use it, even if you all ready have the disk the program on the computer would have to be licensed and in order to do that she would have to pay.
It would be very unusual for an anti virus program to start in Safe Mode except for scanning. It won't start for protection in Safe Mode so I must assume you mean it wouldn't scan in normal mode.

Member Avatar for iggyvill

yea. :3 that's what i meant sorry :3

I have a flash drive with me with the avg on it. right now im scanning the computer with malwarebytes anti-malware. after it's done i do the ihackthis program? or i install avg?

Member Avatar for jholland1964

Go ahead and do the HJT and post both logs here. Then install the AVG and attempt to update. Even if you cannot update please do a full scan with it and fix everything found. Please note name and location of anything found by the AVG scan.

Member Avatar for iggyvill

The scan is done with both hijackthis and malwarebyte's here are the logs.

Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/24/2008 4:12:52 PM
mbam-log-2008-10-24 (16-12-52).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 119393
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 55

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\32591.exe (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpd.Vexe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Lynette\Local Settings\Temp\ie40.tmp (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250716.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250722.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250724.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250726.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250728.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250732.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250734.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250735.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250736.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250737.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250738.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250739.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250740.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250741.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250742.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250744.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250745.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250746.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250748.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250750.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250751.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250752.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250753.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250755.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250756.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250757.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250758.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250759.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250760.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250762.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250763.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250764.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250765.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250766.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250767.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250768.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250770.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250771.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250772.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250761.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250873.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250876.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XivR64oD.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\d.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


```````````````````````````````````````````````````````````````````````````

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:08 PM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Lynette\Application Data\U3\4320330F1D4234DC\LaunchPad.exe
C:\Documents and Settings\Lynette\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdoze.exe] C:\WINDOWS\system32\kdoze.exe
O4 - HKLM\..\Run: [MSMSGS] C:\WINDOWS\msmsgs.exe /background
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdmej.exe] C:\WINDOWS\system32\kdmej.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: TrueSwitch Wizard Verizon Yahoo.lnk = C:\Program Files\TrueSwitchVerizon\TrueInstall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.WeNeedaVacation.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/TrueInstallVerizonYahoo.exe
O20 - AppInit_DLLs: fnovqy.dll
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8461 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:08 PM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Lynette\Application Data\U3\4320330F1D4234DC\LaunchPad.exe
C:\Documents and Settings\Lynette\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdoze.exe] C:\WINDOWS\system32\kdoze.exe
O4 - HKLM\..\Run: [MSMSGS] C:\WINDOWS\msmsgs.exe /background
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdmej.exe] C:\WINDOWS\system32\kdmej.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: TrueSwitch Wizard Verizon Yahoo.lnk = C:\Program Files\TrueSwitchVerizon\TrueInstall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.WeNeedaVacation.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/TrueInstallVerizonYahoo.exe
O20 - AppInit_DLLs: fnovqy.dll
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8461 bytes
Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/24/2008 4:12:52 PM
mbam-log-2008-10-24 (16-12-52).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 119393
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 55

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\32591.exe (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpd.Vexe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Lynette\Local Settings\Temp\ie40.tmp (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250716.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250722.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250724.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250726.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250728.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250732.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250734.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250735.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250736.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250737.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250738.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250739.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250740.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250741.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250742.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250744.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250745.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250746.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250748.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250750.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250751.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250752.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250753.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250755.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250756.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250757.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250758.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250759.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250760.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250762.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250763.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250764.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250765.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250766.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250767.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250768.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250770.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250771.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250772.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250761.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250873.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP274\A0250876.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XivR64oD.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lynette\Local Settings\Temp\d.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Lynette\Local Settings\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Member Avatar for crunchie

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\kdoze.exe

====

Can you please do the following.

===============

Go to Add/Remove programs and uninstall the following, if present:

Viewpoint Manager,Viewpoint Media Player,Viewpoint Toolbar

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdmej.exe] C:\WINDOWS\system32\kdmej.exe

O20 - AppInit_DLLs: fnovqy.dll

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Viewpoint

files...

C:\WINDOWS\system32\kdmej.exe

Search for...

fnovqy.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.