I'm receiving a ton of pop-ups which I now know is in relation to this ad-ware/trojan-type thing. Anyway I know I have to post my hijack log for someone to look at...so here it is and any help at this point would be greatly appreciated. I have trend micro pc-illian and webroot spyware, but I do know that I haven't updated my JAVA. Thanks again for any help as to which files to delete.... Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:05:13 PM, on 6/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003 O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 9572 bytes
Hi catebooth **)Please download vundofix to your desktop http://www.atribune.org/content/view/24/2/ **) Please download ATF Cleaner by Atribune http://www.atribune.org/content/view/25/2/ Save it to your Desktop for later use. **)Get a program called pocket killbox. You can find a download link for it here: http://forum.malwareremoval.com/viewtopic.php?t=320 After you download the file, also look over the instructions for deleting a file on reboot. **) Temporarily disable spysweeper protection in case it interferes with fix efforts. You can scroll down this for instructions: http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs You can reenable these protections when you are done with the fixes. **) We need to temporarily have hidden files and folders visible: Click Start > Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. You can reverse these steps after the system is cleaned up. **) Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. **) Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Select the first 3 temp file lines. Select the temporary internet files line. Select the prefetch files line. Click the Empty Selected button. Click Exit on the Main menu to close the program. **) Please run the ewido/AVG online scan: http://www.ewido.net/en/onlinescan/ **) Open HijackThis and choose "Do a system scan only" then check the box in front of any of these line items that remain: O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file) O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\vjjaqelp.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {FF3399CE-A371-45DD-9594-6785588F4157} - C:\WINDOWS\system32\vtsts.dll O4 - HKLM\..\Run: [{13-30-0E-E7-ZN}] "C:\windows\system32\mmdsregs.exe" CHD003 O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "C:\WINDOWS\system32\uyirivdn.dll",realset O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files...ntrol_en_US.cab O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll O20 - Winlogon Notify: wvuusst - C:\WINDOWS\SYSTEM32\wvuusst.dll Close all programs but HjT and all browser windows, then click on "Fix Checked" **) Use the malware removal guide instructions for deleting a file on reboot. delete this file: C:\WINDOWS\system32\uyirivdn.dll Post the Vundofix report, the ewido report, and a new HjT log. Thanks. bc
Thanks so much for your help bluecoal...my computer seems to be working better already. Here are my logs, let me know what you think. I think I should update my JAVA too, right? Thanks Again! cate Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:39:47 PM, on 6/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Catie.CATE\Desktop\HiJackThis_v2.0.0.0.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing) O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 8990 bytes Ewido: ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.Doubleclick Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@doubleclick[1].txt Risk: Medium Name: TrackingCookie.2o7 Path: C:\Documents and Settings\Catie.CATE\Cookies\catie@msnportal.112.2o7[1].txt Risk: Medium Name: Adware.RogueSuspect Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007 Risk: Medium Name: Adware.RogueSuspect Path: HKU\S-1-5-21-2938156765-3586929490-3717373965-1005\Software\WinAntiVirus Pro 2007\Settings Risk: Medium Name: Not-A-Virus.Downloader.Win32.DigStream Path: C:\Program Files\DIGStream\digstream.exe Risk: Low Name: Not-A-Virus.Downloader.Win32.WinFixer.x Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057624.exe Risk: Low Name: Adware.Companion Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057671.dll Risk: Medium Name: Adware.SystemDoctor Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057673.exe Risk: Medium Name: Not-A-Virus.Downloader.Win32.WinFixer.o Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP117\A0057677.exe Risk: Low Name: Adware.Virtumonde Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061468.dll Risk: Medium Name: Adware.Virtumonde Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061471.dll Risk: Medium Name: Adware.Virtumonde Path: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP123\A0061473.dll Risk: Medium Name: Adware.Virtumonde Path: C:\VundoFix Backups\cbxxuvs.dll.bad Risk: Medium Name: Adware.Virtumonde Path: C:\VundoFix Backups\opnmjhg.dll.bad Risk: Medium Name: Adware.Virtumonde Path: C:\VundoFix Backups\tuvvwwu.dll.bad Risk: Medium Name: Adware.ZenoSearch Path: C:\WINDOWS\system32\nwinnndt.exe Risk: Medium Name: Downloader.VB.awj Path: C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe Risk: High Vundofix: VundoFix V6.5.0 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 6:31:54 PM 6/11/2007 Listing files found while scanning.... C:\windows\system32\cbxxuvs.dll C:\windows\system32\fchyvbyj.dll C:\windows\system32\ndviriyu.ini C:\windows\system32\opnmjhg.dll C:\windows\system32\ststv.bak1 C:\windows\system32\ststv.bak2 C:\windows\system32\ststv.ini C:\windows\system32\ststv.ini2 C:\windows\system32\ststv.tmp C:\windows\system32\tuvvwwu.dll C:\windows\system32\uyirivdn.dll C:\WINDOWS\system32\vtsts.dll C:\WINDOWS\system32\wbwdmdae.dll Beginning removal... Attempting to delete C:\windows\system32\cbxxuvs.dll C:\windows\system32\cbxxuvs.dll Has been deleted! Attempting to delete C:\windows\system32\fchyvbyj.dll C:\windows\system32\fchyvbyj.dll Has been deleted! Attempting to delete C:\windows\system32\ndviriyu.ini C:\windows\system32\ndviriyu.ini Has been deleted! Attempting to delete C:\windows\system32\opnmjhg.dll C:\windows\system32\opnmjhg.dll Has been deleted! Attempting to delete C:\windows\system32\ststv.bak1 C:\windows\system32\ststv.bak1 Has been deleted! Attempting to delete C:\windows\system32\ststv.bak2 C:\windows\system32\ststv.bak2 Has been deleted! Attempting to delete C:\windows\system32\ststv.ini C:\windows\system32\ststv.ini Has been deleted! Attempting to delete C:\windows\system32\ststv.ini2 C:\windows\system32\ststv.ini2 Has been deleted! Attempting to delete C:\windows\system32\ststv.tmp C:\windows\system32\ststv.tmp Has been deleted! Attempting to delete C:\windows\system32\tuvvwwu.dll C:\windows\system32\tuvvwwu.dll Has been deleted! Attempting to delete C:\windows\system32\uyirivdn.dll C:\windows\system32\uyirivdn.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vtsts.dll C:\WINDOWS\system32\vtsts.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll C:\WINDOWS\system32\wbwdmdae.dll Has been deleted! Performing Repairs to the registry. Done!
There is still one file hanging on. **) Please rename HijackThis.exe to catebooth.exe (or other name of your choice). Some problems are able to hide from HijackThis, and I would like to eliminate that as a consideration here. **) Start vundofix. Right click on the white space in the middle of the screen. Click the add more file button. Paste this path into the top line: C:\WINDOWS\system32\aahicjdu.dll Then click add files and close that window. Then click the remove vundo button. Let the program run and restart however many times it needs to. **) Let the renamed hijackthis fix these lines: O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\fchyvbyj.dll (file missing) O2 - BHO: (no name) - {F7BEAE86-0AD2-403C-9BC8-CD10228F617D} - C:\WINDOWS\system32\vtsts.dll (file missing) O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset O20 - Winlogon Notify: wvuusst - wvuusst.dll (file missing) **) Check your add remove programs for this: WinAntiVirus Pro 2007 and remove if present. **) Did you have the ewido scan fix things? If not, you can run it again and have it fix the things it finds, except you can uncheck this one: Name: Not-A-Virus.Downloader.Win32.DigStream Path: C:\Program Files\DIGStream\digstream.exe Risk: Low **) As an additional check on things, please run this scanner: http://www.kaspersky.com/virusscanner It does not have an option to fix anything, it will just give a report. It will probably show infected files in vundo backups and system restore files. Those are not a problem because they can be deleted later. We are looking for other infected files. **) Please post the vundofix log, the Kaspersky scan log, and the new hijackthis log. **) Yes you can update your java and uninstall the old versions. bc
Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll" There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again. The virtumonde continues to be picked up by my spysweeper. I did download the latest JAVA. Here's my logs.... Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:42:38 PM, on 6/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Catie.CATE\Desktop\catebooth.exe.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172435746921 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 8872 bytes Wednesday, June 13, 2007 9:08:10 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 14/06/2007 Kaspersky Anti-Virus database records: 324606 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target Critical Areas C:\WINDOWS C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\ Scan Statistics Total number of scanned objects 15529 Number of viruses found 0 Number of infected objects 0 Number of suspicious objects 0 Duration of the scan process 00:10:56 Infected Object Name Virus Name Last Action C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped Scan process completed. C:\windows\system32\opnmjhg.dll C:\windows\system32\ststv.bak1 C:\windows\system32\ststv.bak2 C:\windows\system32\ststv.ini C:\windows\system32\ststv.ini2 C:\windows\system32\ststv.tmp C:\windows\system32\tuvvwwu.dll C:\windows\system32\uyirivdn.dll C:\WINDOWS\system32\vtsts.dll C:\WINDOWS\system32\wbwdmdae.dll Beginning removal... Attempting to delete C:\windows\system32\cbxxuvs.dll C:\windows\system32\cbxxuvs.dll Has been deleted! Attempting to delete C:\windows\system32\fchyvbyj.dll C:\windows\system32\fchyvbyj.dll Has been deleted! Attempting to delete C:\windows\system32\ndviriyu.ini C:\windows\system32\ndviriyu.ini Has been deleted! Attempting to delete C:\windows\system32\opnmjhg.dll C:\windows\system32\opnmjhg.dll Has been deleted! Attempting to delete C:\windows\system32\ststv.bak1 C:\windows\system32\ststv.bak1 Has been deleted! Attempting to delete C:\windows\system32\ststv.bak2 C:\windows\system32\ststv.bak2 Has been deleted! Attempting to delete C:\windows\system32\ststv.ini C:\windows\system32\ststv.ini Has been deleted! Attempting to delete C:\windows\system32\ststv.ini2 C:\windows\system32\ststv.ini2 Has been deleted! Attempting to delete C:\windows\system32\ststv.tmp C:\windows\system32\ststv.tmp Has been deleted! Attempting to delete C:\windows\system32\tuvvwwu.dll C:\windows\system32\tuvvwwu.dll Has been deleted! Attempting to delete C:\windows\system32\uyirivdn.dll C:\windows\system32\uyirivdn.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vtsts.dll C:\WINDOWS\system32\vtsts.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wbwdmdae.dll C:\WINDOWS\system32\wbwdmdae.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\aahicjdu.dll C:\WINDOWS\system32\aahicjdu.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Performing Repairs to the registry. Done! VundoFix V6.5.0 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 9:18:52 PM 6/13/2007 Listing files found while scanning.... No infected files were found.
My! I have been looking at vundo logs to prepare myself for the next answers to you. Your response was unexpected because it describes situations which I have not seen in other logs/threads. I do not know exactly what to do next. Questions to help in understanding the situation. **) Okay, I did everything you said but had a problem with the vundofix...after doing what you said and the computer started I would get a message stating that there was an "error loading C:\WINDOWS\system32\aahicjdu.dll" This is not a problem with the vundofix. O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aahicjdu.dll",realset That line in the previous hjt log associates the file with virtumonde. Beginning removal... Attempting to delete C:\WINDOWS\system32\aahicjdu.dll C:\WINDOWS\system32\aahicjdu.dll Has been deleted! Performing Repairs to the registry. Done! That portion of the vundofix log indicates that the file has been deleted. The error loading message would indicate that something was still trying to call/load the dll file. Did the error message just happen one time, or does it continue to happen (ie if you shut down your computer now and then restarted it, does it give you that same message about being unable to load the dll file)? **) There was no WinAntiVirus Pro, it had been on my desk top previously, but I removed it. I did originally have the ewido scan fix things, so I didn't run it again. Good. **) I did download the latest JAVA. VundoFix V6.5.0 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 9:18:52 PM 6/13/2007 Listing files found while scanning.... No infected files were found. This last section from the vundofix log indicates there are also still old versions of Java on the system. Please go to your add/remove programs and look for items with Java Runtime Environment (JRE or J2SE) in the name. Remove the ones related to these two versions: Java version is 1.4.2.3; Java version is 1.5.0.3. **) The virtumonde continues to be picked up by my spysweeper. This creates conflicting information which I do not know how to resolve. The HijackThis log appears to be clean. Vundofix is not finding any new issues. Kaspersky is not finding any vundo files. As I think about that, I am not sure what is going on there, because in previous logs I have worked, Kaspersky would flag the files in the C:\vundofix backup folder until they were deleted. Did you rehide system and protected files? Had you reenabled spysweeper protection when the last vundofix was run? Do the spysweeper error messages give you specific file names and/or file locations that we can work with? If spysweeper is seeing infected files that have already been cleaned in the vundofix backup folder or system restore, they are not a problem, because those files can be removed in final cleanup steps. If it is detecting files in Trend Micro’s quarantine folder, the same thing applies, they are cleaned files and can be deleted from the quarantine folder to make the error messages stop. If they are somewhere else, I need some name/location information to try to help you get them off the system. bc
Sorry, my internet connection has been down...here's the latest I'm getting from my anti-virus, but nothing on spysweeper! What do you think? Real-time Scan Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified. Infected file: C:\vundofix backups\uyirivdn.dll.bad Virus name: TROJ_VUNDO.ATO User name: Catie Scan action result: Quarantined. Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information. Real-time Scan Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified. Infected file: C:\vundofix backups\wbwdmdae.dll.bad Virus name: TROJ_VUNDO.AE User name: Catie Scan action result: Quarantined. Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information. Wednesday, June 13, 2007 9:08:10 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 14/06/2007 Kaspersky Anti-Virus database records: 324606 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target Critical Areas C:\WINDOWS C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\ Scan Statistics Total number of scanned objects 15529 Number of viruses found 0 Number of infected objects 0 Number of suspicious objects 0 Duration of the scan process 00:10:56 Infected Object Name Virus Name Last Action C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90165157-7B44-49F0-922B-68099634D5A5}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr414.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr430.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr432.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr434.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr436.tmp Object is locked skipped C:\DOCUME~1\CATIE~1.CAT\LOCALS~1\Temp\Acr438.tmp Object is locked skipped Scan process completed.
Hi, Looks to me like the place it is finding things is in the c:\vundofix backup folder. You can delete the contents of that folder now.
Hi, I’m glad things are running ok. You can also reset your system restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html This link has a few suggestions to help make your computer more secure now that it is cleaned up: http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I bc
