0

So I have noticed I have a problem. Its hard to explain but let me list some things that are happening

-Can't click links , when I do it sends me to completely different links
-None of my anti virus programs will load up Ill click on them and they will show up on the processors menu in task manager but they wont show up on the application tab

Here is a HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:46 AM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\jackie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] F:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "F:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] F:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [prunnet] "F:\WINDOWS\system32\prunnet.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170974568265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O20 - AppInit_DLLs: vaxagi.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6299 bytes


Thanks for help

3
Contributors
11
Replies
12
Views
8 Years
Discussion Span
Last Post by cohen
0

Don't know if this will work or not, but try it:
Please try the following routine given in the MBA-M forum to see if you can get Malwarebytes to run.

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Full System scan

Be sure that everything is checked, and click Remove Selected.
When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
Run a new scan with HJT and post back here with both logs.

0

Ok, be sure to have it Remove whatever is found and then reboot and run a new HJT scan and post both logs. I'll be waiting.
Judy

0

MBAM log

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/23/2008 10:51:13 PM
mbam-log-2008-12-23 (22-51-13).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 84345
Time elapsed: 6 hour(s), 24 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
F:\WINDOWS\system32\byXrromJ.dll (Trojan.Vundo.H) -> Delete on reboot.
F:\WINDOWS\system32\geBuVMfg.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c554a366-de7e-4274-9fd0-797109c16d19} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c554a366-de7e-4274-9fd0-797109c16d19} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebuvmfg (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c554a366-de7e-4274-9fd0-797109c16d19} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: f:\windows\system32\byxrromj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\byxrromj -> Delete on reboot.

Folders Infected:
F:\Documents and Settings\jackie\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
F:\WINDOWS\system32\byXrromJ.dll (Trojan.Vundo.H) -> Delete on reboot.
F:\WINDOWS\system32\JmorrXyb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\JmorrXyb.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\geBuVMfg.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Documents and Settings\jackie\Application Data\upd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\Documents and Settings\jackie\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Documents and Settings\jackie\Local Settings\temp\TDSS7408.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Qoobox\Quarantine\F\Documents and Settings\jackie\Application Data\Google\fhexj6825097.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\Qoobox\Quarantine\F\WINDOWS\system32\drivers\svchost.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{E36E2AFB-8406-48D8-90E6-C0FF7B8686BE}\RP538\A0154322.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{E36E2AFB-8406-48D8-90E6-C0FF7B8686BE}\RP538\A0154323.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{E36E2AFB-8406-48D8-90E6-C0FF7B8686BE}\RP548\A0154603.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{E36E2AFB-8406-48D8-90E6-C0FF7B8686BE}\RP548\A0154612.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{E36E2AFB-8406-48D8-90E6-C0FF7B8686BE}\RP548\A0154614.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\TDSSirxy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\TDSSyavu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\drivers\TDSSmxoe.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
F:\Documents and Settings\jackie\Local Settings\temp\TDSS73aa.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\TDSSqqyk.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\TDSSwghd.log (Trojan.TDSS) -> Quarantined and deleted successfully.

HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:55 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Ventrilo\Ventrilo.exe
F:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\jackie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] F:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] F:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170974568265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O20 - AppInit_DLLs: vaxagi.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6761 bytes


Everything seems to be fine now no problems at all and its all back to normal should i mark as solved?

0

Not so fast, ok.
You need to do this
Please locate the following file and upload it to Jotti's for a scan.

vaxagi.dll

http://virusscan.jotti.org/

Once the file is scanned you will receive information from the various scanners there on whether this is an infection or not. Post back here with that info.

Also, did you add this site to your Trusted Zone? .amaena.com

0

Did a search for the vaxagi.dll file but couldnt find it ... Any where specific I should look?

0

Go to Start, Search Files and Folders. Type in vaxagi.dll.
Be sure to use Advanced Options Search System Files, Search Hidden Files and Folders, Search Sub Folders.
Have it search your Hard Drive which appears to be "F" drive. If you have more than one hard drive then do the search on all of them.
If the search comes back empty then that is fine. If the file IS found then type the full path of the file into the upload window at the jotti website and allow it to be uploaded for scanning.
Either way, come back with a "not found" or the results from jotti.
I don't want to go forward with anythng until we know IF this file still exists on the computer and if it does exist then we need to know if it is part of the infection and we can go from there.
Judy

0

Well it seems that its not there I have ran advance search on everything and nothing is coming up.

0

Good. Then the next thing you need to do is update your java program it is way out of date and out of date java can pose a security risk. To do this go HERE and download the Offline Install file and save it to your desktop. Once it is downloaded then go to Add/Remove and Uninstall ALL versions of Java that you find there.
While you are in Add/Remove also Uninstall the Viewpoint Media Player or Viewpoint Manger Control Panel, actually anything named Viewpoint. This is considered foistware because it is installed without your knowledge when installing something else.
Once that is complete then close that out and go to the desktop and double click that install file to install the newest version. When that is installed go back to that download page and on the right side of that page you will see Verify Now. Click that to go to the verification page to assure that your install was successful.
After doing that run HJT again and put a check mark next to the following entries if they still remain:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] F:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O15 - Trusted Zone: *.amaena.com

O20 - AppInit_DLLs: vaxagi.dll

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
After you have placed those check marks click the Fix Checked button.
Exit HJT.
Reboot and run one more HJT scan and post back with that new log.
Almost there.
Judy

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:26 PM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
F:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Brother\ControlCenter3\brccMCtl.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\jackie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] F:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170974568265
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6208 bytes

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

was not on the HJT check list

0

Log Looks Clean to me :)

Just make sure the Viewpoint Manager doesn't appear in the Add / remove Programs (Control Panel > Add / Remove Programs), If it is, uninstall it.

Otherwise, it's good to me :)

Cohen :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.