Just a quick question about Zlob
Hi there I hope you can help me, it looks like you're a helpful bunch 
I have read the threads where other people have had trouble and tried to act on it. Vundofix has searched once and got about 8 results, deleted them all and then I (voluntarily) rebooted. AVG then found it again at reboot, and I ran Vundofix again and now it's found too. I'm just posting this before I agree to reboot again. I think I gave it to my neighbour in the office via USB accidentaly (giving him the source of the virus), and his has ever since been attempting to hijack FIREFOX (thought that was flawless really) to go to some WinAntivirus site (surely this is illegal??!!)
Is it worth running Vundofix over and over again or should I got into the more complex manoeuvres?
EDIT:
ok it's still screwing around, and since when does my ATI client utility thingymijigg need the internet?
Yes, it seems I was a little overconfident that I had done things right
this is the hijackthis done AFTER vundofix three times
Logfile of HijackThis v1.99.1
Scan saved at 17:17:31, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\Moritz\Desktop\VundoFix.exe
C:\HJT\HijackThis.exe
RE EDIT:
Vundofix
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 14:57:25 27/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\trfryosw.dll
C:\WINDOWS\system32\wsoyrfrt.ini
C:\WINDOWS\system32\xbyphwwp.exe
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\trfryosw.dll
C:\WINDOWS\system32\trfryosw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wsoyrfrt.ini
C:\WINDOWS\system32\wsoyrfrt.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbyphwwp.exe
C:\WINDOWS\system32\xbyphwwp.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 15:06:06 27/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Performing Repairs to the registry.
Done!
xgvimeje.dll and gebcd.dll <---- these two just won't go
REREEDIT: Smitfraud hasn't found anything, so why is Vundofix finding stuff?
I have read the threads where other people have had trouble and tried to act on it. Vundofix has searched once and got about 8 results, deleted them all and then I (voluntarily) rebooted. AVG then found it again at reboot, and I ran Vundofix again and now it's found too. I'm just posting this before I agree to reboot again. I think I gave it to my neighbour in the office via USB accidentaly (giving him the source of the virus), and his has ever since been attempting to hijack FIREFOX (thought that was flawless really) to go to some WinAntivirus site (surely this is illegal??!!)
Is it worth running Vundofix over and over again or should I got into the more complex manoeuvres?
EDIT:
ok it's still screwing around, and since when does my ATI client utility thingymijigg need the internet?
Yes, it seems I was a little overconfident that I had done things right
this is the hijackthis done AFTER vundofix three times
Logfile of HijackThis v1.99.1
Scan saved at 17:17:31, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\Moritz\Desktop\VundoFix.exe
C:\HJT\HijackThis.exe
RE EDIT:
Vundofix
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 14:57:25 27/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\trfryosw.dll
C:\WINDOWS\system32\wsoyrfrt.ini
C:\WINDOWS\system32\xbyphwwp.exe
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\trfryosw.dll
C:\WINDOWS\system32\trfryosw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wsoyrfrt.ini
C:\WINDOWS\system32\wsoyrfrt.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbyphwwp.exe
C:\WINDOWS\system32\xbyphwwp.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 15:06:06 27/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Performing Repairs to the registry.
Done!
xgvimeje.dll and gebcd.dll <---- these two just won't go
REREEDIT: Smitfraud hasn't found anything, so why is Vundofix finding stuff?
0
This discussion has been closed.
Comments
Totally Seperate tools & Infections.
The reason why vundofix did not delete those two files was because those files appear to be newer variant's of Vundo, that the Fix does not Recognize, we'll take a closer look at that in a moment.
I Would like to see an Hijackthis logfile.
That's not the whole log of HJT.
Thanks.
I havent had anything in the last AVG scan i've done.
but the name download.zlob.fc is the one that came up on scans, which it hasnt for a while.
Logfile of HijackThis v1.99.1
Scan saved at 19:01:00, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\WINDOWS\system32\svchost.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
ooo i just noticed that there aren't any O2 OHB things anymore. they were there on the last log i had
Open HijackThis and scan. When it finishes, put an X in the box next to these following item(s) and click fix checked.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
Please Run an Online Scan using Panda Online Scanner, When you are done scanning, please post the results in your next reply to this thread, along with a Fresh Hijackthis logfile.
Panda Active Scan Link Below:
http://www.pandasoftware.com/products/ActiveScan.htm
Thanks. :smiles:
I would use panda, but does it use a lot of bandwidth? The problem is that I've been got a very limited bandwidth. Does it use a lot?
When done scanning, save the scan log somewhere you can find it. And post it in your next reply along with a Hijackthis logfile.
Thanks.
Incident Status Location
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.zedo.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Yadro Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Weborama Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/onestat.com Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Overture Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.overture.com/]
Spyware:Cookie/Bfast Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Xiti Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.xiti.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/888 Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.888.com/]
Spyware:Cookie/WUpd Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Adverserve Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.adverserve.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tucows Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Toplist Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Overture Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Moritz\Cookies\moritz@atdmt[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\Moritz\Cookies\moritz@ccbill[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Moritz\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Moritz\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/PurityScan Not disinfected C:\VundoFix Backups\trfryosw.dll.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\xbyphwwp.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtspqr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebawtr.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
HJT
Logfile of HijackThis v1.99.1
Scan saved at 08:48:54, on 28/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
It hasn't popped up anywhere in ther recent past, although it seems to me that Panda found Vuno in the Hijackthis backup...ggaaah!
EDIT: Take that back, Hijack this just tried to connect to the wierd site. I know this thanks to zonealarm, so I denied the connection
Save VirtumundoBeGone.exe to your desktop.
Run VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
When it has finished, reboot.
It will create a log on your desktop called VBG.TXT, post this log and a HiJackThis log
[03/01/2007, 7:54:45] - Terminating Process: IEXPLORE.EXE
[03/01/2007, 7:54:45] - Terminating Process: RUNDLL32.EXE
[03/01/2007, 7:54:45] - Disabling Automatic Shell Restart
[03/01/2007, 7:54:45] - Terminating Process: EXPLORER.EXE
[03/01/2007, 7:54:45] - Suspending the NT Session Manager System Service
[03/01/2007, 7:54:45] - Terminating Windows NT Logon/Logoff Manager
[03/01/2007, 7:54:45] - Re-enabling Automatic Shell Restart
[03/01/2007, 7:54:45] - File to disable: C:\WINDOWS\system32\jkhhg.dll
[03/01/2007, 7:54:45] - Renaming C:\WINDOWS\system32\jkhhg.dll -> C:\WINDOWS\system32\jkhhg.dll.vir
[03/01/2007, 7:54:45] - File successfully renamed!
[03/01/2007, 7:54:45] - Removing HKLM\...\Browser Helper Objects\{865090D5-B099-4F0A-8E51-0D1D13C5CA9D}
[03/01/2007, 7:54:45] - Removing HKCR\CLSID\{865090D5-B099-4F0A-8E51-0D1D13C5CA9D}
[03/01/2007, 7:54:45] - Adding Kill Bit for ActiveX for GUID: {865090D5-B099-4F0A-8E51-0D1D13C5CA9D}
[03/01/2007, 7:54:45] - Deleting ATLEvents/MSEvents Registry entries
[03/01/2007, 7:54:45] - Removing HKLM\...\Winlogon\Notify\jkhhg
[03/01/2007, 7:54:45] - Searching for Browser Helper Objects:
[03/01/2007, 7:54:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/01/2007, 7:54:45] - BHO 2: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/01/2007, 7:54:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:45] - No filename found. Continuing.
[03/01/2007, 7:54:45] - BHO 3: {A4FC38B0-5E0C-4547-96A2-B659DC155DEC} ()
[03/01/2007, 7:54:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:45] - Checking for HKLM\...\Winlogon\Notify\awvts
[03/01/2007, 7:54:45] - Key not found: HKLM\...\Winlogon\Notify\awvts, continuing.
[03/01/2007, 7:54:45] - BHO 4: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
[03/01/2007, 7:54:45] - ALERT: Found MSEvents Object!
[03/01/2007, 7:54:45] - BHO 5: {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} ()
[03/01/2007, 7:54:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:45] - Checking for HKLM\...\Winlogon\Notify\xgvimeje
[03/01/2007, 7:54:45] - Key not found: HKLM\...\Winlogon\Notify\xgvimeje, continuing.
[03/01/2007, 7:54:45] - Finished Searching Browser Helper Objects
[03/01/2007, 7:54:45] - *** Detected MSEvents Object
[03/01/2007, 7:54:45] - Trying to remove MSEvents Object...
[03/01/2007, 7:54:46] - Terminating Process: IEXPLORE.EXE
[03/01/2007, 7:54:46] - Terminating Process: RUNDLL32.EXE
[03/01/2007, 7:54:46] - Disabling Automatic Shell Restart
[03/01/2007, 7:54:46] - Terminating Process: EXPLORER.EXE
[03/01/2007, 7:54:46] - Suspending the NT Session Manager System Service
[03/01/2007, 7:54:46] - Terminating Windows NT Logon/Logoff Manager
[03/01/2007, 7:54:47] - Re-enabling Automatic Shell Restart
[03/01/2007, 7:54:47] - File to disable: C:\WINDOWS\system32\awtspqr.dll
[03/01/2007, 7:54:47] - Renaming C:\WINDOWS\system32\awtspqr.dll -> C:\WINDOWS\system32\awtspqr.dll.vir
[03/01/2007, 7:54:47] - File successfully renamed!
[03/01/2007, 7:54:47] - Removing HKLM\...\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39}
[03/01/2007, 7:54:47] - Removing HKCR\CLSID\{C47A9554-195A-4769-9B13-04F15B450A39}
[03/01/2007, 7:54:47] - Adding Kill Bit for ActiveX for GUID: {C47A9554-195A-4769-9B13-04F15B450A39}
[03/01/2007, 7:54:47] - Deleting ATLEvents/MSEvents Registry entries
[03/01/2007, 7:54:47] - Removing HKLM\...\Winlogon\Notify\awtspqr
[03/01/2007, 7:54:47] - Searching for Browser Helper Objects:
[03/01/2007, 7:54:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/01/2007, 7:54:47] - BHO 2: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/01/2007, 7:54:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:47] - No filename found. Continuing.
[03/01/2007, 7:54:47] - BHO 3: {A4FC38B0-5E0C-4547-96A2-B659DC155DEC} ()
[03/01/2007, 7:54:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:47] - Checking for HKLM\...\Winlogon\Notify\awvts
[03/01/2007, 7:54:47] - Key not found: HKLM\...\Winlogon\Notify\awvts, continuing.
[03/01/2007, 7:54:47] - BHO 4: {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} ()
[03/01/2007, 7:54:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 7:54:47] - Checking for HKLM\...\Winlogon\Notify\xgvimeje
[03/01/2007, 7:54:47] - Key not found: HKLM\...\Winlogon\Notify\xgvimeje, continuing.
[03/01/2007, 7:54:47] - Finished Searching Browser Helper Objects
[03/01/2007, 7:54:47] - Finishing up...
[03/01/2007, 7:54:47] - A restart is needed.
[03/01/2007, 7:54:54] - Attempting to Restart via STOP error (Blue Screen!)
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 08:01:14, on 01/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A4FC38B0-5E0C-4547-96A2-B659DC155DEC} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\xgvimeje.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\nyajwmxd.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I'll run AVG + AdAware now, not that it'll do much
Logfile of HijackThis v1.99.1
Scan saved at 14:52:19, on 01/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A4FC38B0-5E0C-4547-96A2-B659DC155DEC} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\xgvimeje.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\nyajwmxd.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
bah, this is getting annoying. I havent had it attempt to go online in a while, but that could just be ZoneAlarm actually doing its job.
Please Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo buttonYou will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please Post: Vundofix.txt & HJT log.
anyway, Vundofix scan report:
Scan started at 15:30:32 01/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\clxcrdkh.exe
C:\WINDOWS\system32\dxmwjayn.ini
C:\WINDOWS\system32\nyajwmxd.dll
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\clxcrdkh.exe
C:\WINDOWS\system32\clxcrdkh.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\dxmwjayn.ini
C:\WINDOWS\system32\dxmwjayn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nyajwmxd.dll
C:\WINDOWS\system32\nyajwmxd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 15:35:49 01/03/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 10:36:05 02/03/2007
Listing files found while scanning....
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 10:37:00 02/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\xgvimeje.dll
Beginning removal...
Performing Repairs to the registry.
Done!
that was the last one
anyway HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:45:38, on 02/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A4FC38B0-5E0C-4547-96A2-B659DC155DEC} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\xgvimeje.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
You should definitely not allow it!
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download MWav:
- Unzip it to its predetermined directory (C:\Kaspersky)
- Locate kavupd.exe in the new folder and double-click to Update.
- If your firewall gives any messages about this program accessing to internet, allow it.
- If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
- When you see Updates Downloaded Successfully, hit Enter to continue.
- Restart onto Safe Mode and locate the Kaspersky folder.
- Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:- Leave the Default Settings checked.
- Add a check to Drives
- This will light up All Drives
- Add a check to Scan all Files
- Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.- Please be sure it has finished before proceeding.
- Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
- Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
- Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log.File C:\WINDOWS\system32\awtspqr.dll.vir tagged as not-a-virus:AdWare.Win32.Virtumonde.ha. No Action Taken.
File C:\WINDOWS\system32\gebawtr.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.ha. No Action Taken.
File C:\Dokumente und Einstellungen\Moritz\Desktop\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken
File C:\Dokumente und Einstellungen\Moritz\Desktop\SmitfraudFix.zip tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
File C:\Programme\VSAdd-in\VSAdd-in.dll tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken
File C:\VundoFix Backups\clxcrdkh.exe.bad tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
File C:\VundoFix Backups\nyajwmxd.dll.bad tagged as not-a-virus:AdWare.Win32.Virtumonde.gf. No Action Taken.
File C:\VundoFix Backups\trfryosw.dll.bad tagged as not-a-virus:AdWare.Win32.Virtumonde.gf. No Action Taken.
File C:\VundoFix Backups\xbyphwwp.exe.bad tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
File C:\WINDOWS\system32\awtspqr.dll.vir tagged as not-a-virus:AdWare.Win32.Virtumonde.ha. No Action Taken.
File C:\WINDOWS\system32\gebawtr.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.ha. No Action Taken.
Total Number of Errors: 3
Logfile of HijackThis v1.99.1
Scan saved at 09:22:37, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
yeah that's it... havent had to block anything recently...
We'll continue with this:
Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! I Suggest you print these Instructions out.
Download VirtumundoBegone
Save VirtumundoBeGone.exe to your desktop.
Run VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
When it has finished, reboot.
Next:
Please download AVG Anti-Spyware
to your Desktop or to your usual Download Folder.
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
We'll get to that later on.
Could you Please follow my instructions Carecully and Post the logs i asked for :smiles:
Thanks
[03/06/2007, 18:37:05] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Moritz\Desktop\VirtumundoBeGone.exe" )
[03/06/2007, 18:37:06] - Detected System Information:
[03/06/2007, 18:37:06] - Windows Version: 5.1.2600, Service Pack 2
[03/06/2007, 18:37:06] - Current Username: Moritz (Admin)
[03/06/2007, 18:37:06] - Windows is in NORMAL mode.
[03/06/2007, 18:37:06] - Searching for Browser Helper Objects:
[03/06/2007, 18:37:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/06/2007, 18:37:06] - BHO 2: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 18:37:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 18:37:06] - No filename found. Continuing.
[03/06/2007, 18:37:06] - Finished Searching Browser Helper Objects
[03/06/2007, 18:37:06] - Finishing up...
[03/06/2007, 18:37:06] - Nothing found! Exiting...
Thank you!
AVG Anti-Spyware - Scan Report
+ Created at: 19:05:40 06/03/2007
+ Scan result:
C:\WINDOWS\system32\awtspqr.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gebawtr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
:mozilla.302:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.303:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.304:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.305:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.306:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.307:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.308:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.309:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.310:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.311:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.312:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.313:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.339:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.494:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.659:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.789:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.930:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.935:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.335:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.71i : Cleaned.
:mozilla.254:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.255:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.256:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.257:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.260:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.261:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.880:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.881:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.518:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.519:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.382:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.383:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.384:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.385:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.386:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.582:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.583:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.113:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.114:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.115:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.116:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.117:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Dokumente und Einstellungen\Moritz\Cookies\moritz@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.623:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.624:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.888:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.889:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.890:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.379:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.380:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.381:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.540:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.541:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.542:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.543:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.544:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.545:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.546:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.86:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Co : Cleaned.
:mozilla.391:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.340:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.65:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.664:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.232:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Estat : Cleaned.
:mozilla.298:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.366:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.367:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.368:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.369:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.244:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.247:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.248:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.249:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.250:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.905:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.906:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.241:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.480:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.346:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.347:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.348:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.587:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.589:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.688:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.284:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.336:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.337:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.338:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.102:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.103:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.314:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Oewabox : Cleaned.
:mozilla.359:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.360:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.84:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.893:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.741:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Popularix : Cleaned.
:mozilla.560:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.561:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.562:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.317:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.318:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.319:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.267:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.268:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.536:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.894:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.895:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.896:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.897:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.898:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.686:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.687:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.159:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.75:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.76:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.77:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.78:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.79:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.80:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.81:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.82:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.83:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.122:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.123:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.124:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.125:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.126:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.127:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.692:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.118:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.488:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.489:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.490:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.491:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.638:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.273:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.766:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.420:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.176:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.177:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.178:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.179:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.180:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.181:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.182:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.183:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.184:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.185:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.186:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.187:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.188:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.189:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.190:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.191:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.192:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.193:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.528:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.529:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.903:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.61:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.62:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.63:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.64:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.730:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.731:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.732:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.733:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.734:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.735:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.736:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.251:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.522:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.523:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.524:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.588:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.422:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.133:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.134:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.135:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.136:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.396:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.397:C:\Dokumente und Einstellungen\Moritz\Anwendungsdaten\Mozilla\Firefox\Profiles\omuzp9dg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Programme\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
::Report end
found about 180 cookies, they're gone
I'll put a fresh HJT logfile whilst I'm at it, havent done panda yet
Logfile of HijackThis v1.99.1
Scan saved at 21:13:41, on 06/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976EAC12-78F7-4D39-9294-A2BD9F05A731}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
But there are still few files in AVG antispyware's Quarantine.
Please emtpy it. and let me know how things are running
Well the thing is I never really noticed a slow-down, it is a brand-spanking new laptop with 1Gb ram, dual processor and loads of space, and since I don't really use it for intensive programs it's hard to tell. My football manager didn't slow down, I cans still run loads of programs at once...
the only thing that I can't identify in the HJT log is the O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) entry...
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
These are optional, but suggested to fix to speed up your computer, if you nead them to start up again you can always get them back from backups.
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
Boot your computer, let me know how things are.
Logfile of HijackThis v1.99.1
Scan saved at 22:30:32, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
thanks a lot for the help! I'm not sure how malicious this thing was, but I've learned a hell of a lot through it in any case! And downloaded a load of new programs I never even knew existed. And I'll definitely be more careful in the future!
I'm impressed by how much time you guys dedicate to this, well done
other than that I suppose there's only one more question: do I delete all the backups etc that were created of the virus?
Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum
If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead