Need help removing the Bin Laden captured malware

scot184 · September 2006

Hi,

I stupidly clicked on a link saying Bin Laden had been captured. Now I have malware on my system. I ran a few different spyware programs, but they either charge me, or simply try to remove programs, but fail to do so. If anyone can help me remove it manually I'd greatly appreciate it.

Here is my log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:43 AM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

Hi Scott, Welcome to Short-Media!

A few things to do, so please do the following...

First
I see HijackThis on the desktop. Please create a new folder, and move HijackThis to it. This is so backups can be created. This step is important!

Second
I don't see any indication of a Firewall in your HijackThis log. This may be because:

(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.

In the case you don't have a Firewall, please download one from the list below - They are Free!

Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall

Third
I do not see an Anti-Virus program. Again, please download one from the list below - They are Free!

AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Once you have choosen your Anti-Virus, update it and make a note of any files that could not be deleted.

Fourth
Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
A text file called VundoFix will be created in your C: drive. Please keep it safe, as I'll need to see it soon.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Fifth
I would like to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button. It will open a Notepad file.
Copy & Paste the entire contents of that file in your in your next post.

Sixth
Please post the following:

1) Info of any files that could not be cleaned by your Anti-Virus
2) Contents of C:\vundofix.txt
3) Uninstall list
4) New HijackThis log

scot184 · September 2006

I ran Vundo and no infected files were found...

Here is the log:

VundoFix V6.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 3:15:27 PM 9/8/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Here is the program list:

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AdsGone Popup Killer by A1Tech.com
Antares Tube VST v1.02
AOL Instant Messenger
Arturia Moog Modular V v1.2
Business Contact Manager for Outlook 2003
Canon Digital Camera USB WIA Driver
Click 'N Burn CD & DVD
Conexant SmartHSFi V92 56K DF PCI Modem
CutterMusic Revitar VSTi v1.1.3
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FastStone Photo Resizer 1.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Korg Legacy Collection v1.0.0.2
Learn2 Player (Uninstall Only)
Lexicon PSP 42 VST DX v1.0
Logitech Gaming Software
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
M-Audio USB Quattro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Modem Helper
Mozilla Firefox (1.0.6)
Mp3 Cutter and Joiner 1.0
MSN Music Assistant
Native Instruments Absynth 2
Native Instruments FM7 Sounds Vol.1
Native Instruments Kontakt
NetWaiting
Novation Bass-Station VSTi v1.10
OhmForce OhmBoyz 1.3
Ohmforce Quad Frohmage Pro VST v1.10
Online Manuals for WinTV (English)
PowerDVD
PQ DVD to iPod Video Converter (remove only)
PSP VintageWarmer v1.5d
PSP84 1.3
QuickTime
RealPlayer Basic
Rob Papen Albino 2
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
SoulSeek Client 156c
SpinAudio RoomVerb M2 1.3
SpinAudio SpinDelay 2.0
SpyHunter
Spyware Doctor 4.0
Steinberg Cubase SX v2.0.2.31
STOIK Smart Resizer
Synapse Hydra VSTi V1.1
U.S. Robotics Wireless MAXg Adapter
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(SBC)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

Here is the new log file (probably the same):

Logfile of HijackThis v1.99.1
Scan saved at 3:41:13 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

Scot, until you get an Anti-Virus and Firewall as posted in my previous post, I will be unable to help you.

scot184 · September 2006

Ok, I've got AVG free, ran a scan...and it came up with a bunch of trojans, but only removed 3 out of 37 infections.

I also have the Windows firewall running.

Here is the new program list:

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AdsGone Popup Killer by A1Tech.com
Antares Tube VST v1.02
AOL Instant Messenger
Arturia Moog Modular V v1.2
AVG Free Edition
Business Contact Manager for Outlook 2003
Canon Digital Camera USB WIA Driver
Click 'N Burn CD & DVD
Conexant SmartHSFi V92 56K DF PCI Modem
CutterMusic Revitar VSTi v1.1.3
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FastStone Photo Resizer 1.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Korg Legacy Collection v1.0.0.2
Learn2 Player (Uninstall Only)
Lexicon PSP 42 VST DX v1.0
Logitech Gaming Software
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
M-Audio USB Quattro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Modem Helper
Mozilla Firefox (1.0.6)
Mp3 Cutter and Joiner 1.0
MSN Music Assistant
Native Instruments Absynth 2
Native Instruments FM7 Sounds Vol.1
Native Instruments Kontakt
NetWaiting
Novation Bass-Station VSTi v1.10
OhmForce OhmBoyz 1.3
Ohmforce Quad Frohmage Pro VST v1.10
Online Manuals for WinTV (English)
PowerDVD
PQ DVD to iPod Video Converter (remove only)
PSP VintageWarmer v1.5d
PSP84 1.3
QuickTime
RealPlayer Basic
Rob Papen Albino 2
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
SoulSeek Client 156c
SpinAudio RoomVerb M2 1.3
SpinAudio SpinDelay 2.0
SpyHunter
Spyware Doctor 4.0
Steinberg Cubase SX v2.0.2.31
STOIK Smart Resizer
Synapse Hydra VSTi V1.1
U.S. Robotics Wireless MAXg Adapter
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(SBC)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

And the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:44:39 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

Thanks scot! Can you do the following please...

Download Hoster from the link below, and extract the files to your desktop.

http://www.funkytoad.com/download/hoster.zip

A folder called Hoster should be created. Open it, and open the Hoster file inside.

Click on Restore Microsoft's Original Hosts File, and click OK at the prompt

Close Hoster

=====

We need to run VundoFix again, but slighty different then the first time.

Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\tuvsq.dll
- C:\WINDOWS\system32\qsvut.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

scot184 · September 2006

I keep getting an error when trying to open Hoster...and it simply closes on me. Error getting host files to be specific. Should I still run Vundo again?

Please advise.

And thanks again for your time and patience!

Trogan · September 2006

Do this...

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

Now run VundoFix as instructed in my last post.

scot184 · September 2006

Ok, I checked all and tried to fix them, but got an error message. It said either I don't have write capabilities or that some program is preventing me from deleting these files.

I figure this is either the malware being tricky or I need to change the settings on what files I can remove in Windows.

Please advise.

Thanks again!

Trogan · September 2006

Do you have Admin rights? You need to have Admin rights, in order to complete the instruction I provide.

Leave it for now, and carry on with the VundoFix.

scot184 · September 2006

It's my computer, so I'm assuming I have admin rights. Should I change users?

I will run Vundo.

scot184 · September 2006

I tried to do the Vundofix, but upon hitting add files, nothing happened. Then I clicked close window and the files weren't pasted. I tried multiple times to no avail. Not sure why they won't take.

How can I get admin rights to do the other bit?

Thanks again.

Trogan · September 2006

You won't see the files once they have been added, and it may appear nothing is happening but it is. The instructions say "click Add Files and click Close Window. Then, click the Remove Vundo button." Follow the instructions and everything will happen automatically.

To check if you have Admin rights, do this:

Go Start > Control Panel
Open User Accounts
Under "or pick an account to change", you should see a list of accounts on the computer.
Look below your account, and see if it says Computer Administrator
If so, then your account has Admins rights.

scot184 · September 2006

I followed your directions to a T, and when I restarted my pc it seemed to update some registry stuff. I looked at the Vundofix file on my C drive and it's the same one from a few days ago that found nothing in the scan.

I tried to remove the files in HIjack this, but the program grays out and locks up, not responding. I do have admin rights, but that doesn't come up anymore. It simply doesn't respond.

Here is my latest log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:38 AM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

Scot, I gave you the wrong files to input. I don't know how I did that and I sincerely apologies. Here are the right files to input.

Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\inf\srvdns.dll
- C:\WINDOWS\system32\sndvrs.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

scot184 · September 2006

So the files you gave me before wouldn't have impacted my pc correct? Just want to make sure I didn't create any new problems, and what exactly happened with my registry.

Thanks again. I will try the vundofix again after work.

Trogan · September 2006

Nothing would have by inputting the wrong files. VundoFix would not have found them, and would have told you so. I'm not sure what happened with your registry.

scot184 · September 2006

I did as instructed but it wasn't able to delete the vundo. Then it asked to restart and boot Vundo at restart. I did that and it came up with zero infected files.

I tried to remove the 01 files from Hijack again, but the program became non-responsive once again. I even tried removing just one single 01 file at a time, and still no luck.

What do I do from here?!!?!?!

Thanks!

scot184 · September 2006

VundoFix V6.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 3:15:27 PM 9/8/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Beginning removal...

Beginning removal...

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 6:24:15 PM 9/12/2006

Listing files found while scanning....

No infected files were found.

scot184 · September 2006

Sorry this is segmented...the computer seems a lot better now, though it's not perfect. Here is the latest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:18 PM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

The computer may be better now, because it looks like half of Vundo has been defeated.

Lets try this now:

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

All O1 entries

O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

Reboot back into Normal mode, and post a new Hijackthis log

scot184 · September 2006

I got your instructions on safe mode...but I remember trying safe mode on this pc a week and half ago and it wouldnt display any of my icons, nor the taskbar, so I couldn't get into any programs or do anything except press ctrl+alt+del.

If I experience this again, what should I do to circumvent the problem?

Thanks.

scot184 · September 2006

Big game tonight...best of luck.

Trogan · September 2006

Thanks! Good game, although we didn't play too well, but got the job done.

About Safe Mode...let me know how it goes and I'll see what I can do. It may be a Windows problem, something that may be beyond my knowledge.

scot184 · September 2006

Is there anyway to do it in normal mode? Like showing files in my registry and manually deleting them that way without Hijack this? I'm pretty sure my safemode won't work.

THanks again.

Trogan · September 2006

Leave Safe Mode for now. Can we try VundoFix one more time please.

Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\inf\srvdns.dll
- C:\WINDOWS\inf\sndvrs.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

scot184 · September 2006

My latest Vundo log:

VundoFix V6.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 3:15:27 PM 9/8/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Beginning removal...

Beginning removal...

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 6:24:15 PM 9/12/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Has been deleted!

Performing Repairs to the registry.
Done!

And HIjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:08 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Trogan · September 2006

Lets try HijackThis again:

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

All O1 entries

O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

Reboot, and post a new HijackThis log please.

scot184 · September 2006

Hijack this froze up again. I was able to use safe mode, but Hijack this froze up just the same. I even left it for 30min or more to see if it was just freezing up, then restablilizing.

Can't I just go to my computer, tools, show hidden files, and allow deletion of those files, then manually go in and remove them without using Hijack this?

Thanks again.

scot184 · September 2006

What's my next move? Is there any other program to remove these silly 01 files?

Thanks!

Trogan · September 2006

Do this:

Go to Start > Run > copy and paste the following and press OK

notepad C:\WINDOWS\system32\drivers\etc\hosts

Copy and paste the entire contents of Notepad here please.

Rename HijackThis.exe to HJT.exe, and post a new log.

Need help removing the Bin Laden captured malware

Comments