0

My computer has recently been bogged down by what was at first a virus, and then a series of adware/malware programs that were (and some still are) running. I've gone through the "Fixes for Specific Infections" thread, as well as the "PC Cleaning Procedures & Detection Tools" thread, but I'm still having a huge delay in booting/shutting down the system, and unless I set priorities to my programs (Firefox, Explorer etc.) they take forever to load. I've had to disable IExplorer (Windows XP SP2) because I was getting popups for spyware/adware detectors all the time, which again slowed down my system. I'm not really sure what else I can do with this, as I've gone through the big threads (listed above) and haven't had full success.

I'm getting programs like ping.exe running always (with the address of C:\WINDOWS\system32\CROSOF~1\ping.exe and an extension of "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv running) and another one called jvaw~1.exe but I can't seem to remove them, no matter what I do.

Can anyone help me? Thanks in advance.

3
Contributors
18
Replies
19
Views
11 Years
Discussion Span
Last Post by kylethedarkn
0

Plz download HJT from here.

After you download the zip extract the contents to a permanent folder such as C:\HJT or something similar.

Run the program and scan your computer. It will come up with alot of entries.(don't fix anything yet) There should be a save log option. It will save a log of the scan.

Post the HJT log in your next reply.

0

This is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:21 PM, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\Desktop\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {0AA45C7C-98BD-B118-999D-E5FC5FF0BCE1} - C:\WINDOWS\system32\mchj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

0

I also get a pop-up that says 'This action cannot be completed because the other program is busy. Choose "Switch To" to activate the busy program and correct the problem,' with a "Switch To..." and "Retry" button able to be pushed. I'm not sure if this is a Windows notification, or a 3rd party scam.

Any ideas?

0

Ping.exe is a valid process but jvaw~1.exe is not so lets get started.

First run HJT and check the following.
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
Close all other windows and click fix checked.

Reboot to safe mode by tapping the F8 key during startup.
Delete the following files and folders.
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\My Documents\??stem
C:\WINDOWS\system32\arpa.dll
C:\WINDOWS\SYSTEM32\JVAW~1.EXE
Reboot Normally and reply with any problems that still exist. Also post a new HJT log.

0

When I try to fix those entries in HJT I'm given an error pop-up:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: mmc.dll arpa.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

What do I do now?

0

When I moved the folder to C:\ drive and retried the fix, I got the same error.

I booted into SafeMode and was able to delete the "?ttrib.exe" file and the "??stem" folder (system\attrib.exe), but was unable to delete the arpa.dll file. It said that it was in use by another program. Also, the jvaw~1.exe file did not exist. I'm really confused now ...

Here's my new HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:35 AM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll rundll.dll mmc.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

0

Ok download pocket killbox from here.
Run killbox and check the box that says delete files on reboot.
Then select the all files button.
Go to the folder icon and navagate to the apra.dll and TTrib~1.exe click ok. When you go to the drop down box you should see them there.
Close all other windows and click on the kill button.(red circle with white x) Killbox should reboot your computer. After its done post a new HJT log.

0

I can never find "TTRIB~1.EXE"! I deleted it in SafeMode once, but I've never been able to find it since (SafeMode or normal).

Here's the NEW log ...

Logfile of HijackThis v1.99.1
Scan saved at 11:44:43 PM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

0

kylethedarkn-

Ping.exe is a valid process

Not when it's running from a folder named " C:\WINDOWS\system32\CROSOF~1", it isn't. :mrgreen: The entire "CROSOF~1" folder is bogus.
(Besides, the ping command normally sends only 4 ping requests and then quits; it's not a persistent process.)

I've got to log off and get some sleep right now, but from what I can see, you've dealing with PurityScan/OIN infection there.

-

0

Ok then lets do a couple things.
First download Ewido's Security Suite from here.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Reboot.


After rebooting run HJT and check the following if they are still there.
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Close all other windows and click fix checked.

Now scan the following file using Jotti's online scanner.
C:\WINDOWS\system32\dojuzf.dll

Reboot to safe mod and delete the following files and folders if existing.
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\WINDOWS\system32\CROSOF~1
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1
Reboot to Normal.

Post the Ewido log and the HJT log.

0

I ran ewido twice, because I couldn't delete 2 files. The second time I couldn't quarantine them. What can I do now?

Run 1:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:48:39 PM 01/07/2006

+ Scan result:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01IBOPUV\!update-3915[1].0000 -> Adware.ClickSpring : Cleaned.
C:\WINDOWS\Τasks\taskmgr.exe -> Adware.ClickSpring : Cleaned.
C:\!KillBox\arpa.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\__delete_on_reboot__a_r_p_a_._d_l_l_ -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\mmc.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\rundll.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\vlvpdabr.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\Оracle\wіnspool.exe -> Adware.PurityScan : Cleaned.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned.
[1016] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1084] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1164] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1356] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1632] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1764] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1804] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1836] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1936] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[2040] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[444] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[476] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[488] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[664] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[676] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[848] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[920] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\system32\fccaxuv.dll -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Family\Local Settings\Application Data\01f6d7c3.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\01f6d7c3.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TQR4T2R\!update-3895[1].0000 -> Downloader.PurityScan.co : Cleaned.
C:\WINDOWS\system32\regperf.exe -> Downloader.Zlob.vr : Cleaned.
C:\WINDOWS\system32\dcomcfg.exe -> Downloader.Zlob.vt : Cleaned.
:mozilla.212:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.51:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.52:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.53:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.65:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.66:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.78:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Family\Cookies\Family@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.90:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.92:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.96:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.97:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.117:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.118:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.119:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.120:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.161:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.100:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.105:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.106:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.107:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.222:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.75:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.76:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.181:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.21:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.141:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.142:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Family\Cookies\Family@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.125:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.165:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.166:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.167:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.168:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.169:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.170:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.171:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.172:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.233:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.234:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.235:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.18:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.19:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.20:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.34:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.191:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.192:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.71:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.72:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.73:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.221:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\yjmqsji7.default\cookies.txt -> TrackingCookie.Xhit : Cleaned.
C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Cleaned.
[616] C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Error during cleaning.


::Report end

Run 2:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:08:48 PM 01/07/2006

+ Scan result:

C:\WINDOWS\system32\__delete_on_reboot__a_r_p_a_._d_l_l_ -> Adware.PurityScan : Cleaned with backup (quarantined).
[1016] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1084] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1164] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1356] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1632] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1764] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1804] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1836] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[1936] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[2040] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[444] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[476] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[488] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[664] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[676] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[848] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
[920] C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\system32\__delete_on_reboot__w_i_n_y_m_e_3_2_._d_l_l_ -> Trojan.Agent.vg : Cleaned with backup (quarantined).
[616] C:\WINDOWS\system32\winyme32.dll -> Trojan.Agent.vg : Error during cleaning.


::Report end

I also ran HJT but I couldn't find any of those entries.

Logfile of HijackThis v1.99.1
Scan saved at 6:19:05 PM, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Upon rebooting in SafeMode, there were no folders "stem~1" or "crosof~1", and the "ping.exe" and "ttrib~1.exe" files weren't found. I did however, find "ping6.exe" in the System32 folder, and I noticed that in the Windows\Temp folder there were files called "Win1A.tmp", "Win1B.tmp" etc. Are these normal?

Thanks for all your help!

0

The reason the HJT lines weren't there is because you were in safe mode. Reboot to normal check and fix the HJT lines then reboot to safe mode run ewido and see if it deletes the apra.dll and the other thing.


If that doesn't work download Pocket killbox from here.

Open Killbox and select the delete on reboot option and click on all files.
Then click on the open folder symbol and navagate to the following.
C:\WINDOWS\system32\winyme32.dll
C:\WINDOWS\system32\arpa.dll
When you click on them press ok and then go to the next file.
Make sure that both files are located in the drop down box.
Now click on the kill button.(the red circle with a white x)
The computer should restart itself if it doesn't restart it manually.

Post the new HJT and ewido logs.

0

When I run HJT and I select the arpa.dll file, and only that file, I still get this error message:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

0

And neither KillBox nor Windows search can find arpa.dll or winyme32.dll.

0

I think that did it! :D

Logfile of HijackThis v1.99.1
Scan saved at 11:31:02 PM, on 02/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

THANK YOU! THANK YOU! THANK YOU! :D:D:D

0

Your Welcome and if your not expiriencing any problems you can mark this thread as solved.(there should e a link at the top of the page)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.