Winsystem16.exe , Win32:Trojan-gen ,Win32:Adware-gen Problem Pls Help
I have been facing a problem with Winsystem16.exe , Win32:Trojan-gen ,Win32:Adware-gen Problem Pls Help.
I just installed some cracker software after that i have facing so many prblems .. when i open the IE popus are coming . i manually remove some of the DLL's in the startup menus and WINDOWS\SYSTEM32 dlls's . yesterday i download Ad-Aware and installed . it cathes some 161 infected and removes all . i restarted my system couple times but still the same probelm the popus are coming and now in my startup i can see Winsystem16.exe , I strogly belive that its a malware . pls help me . i am fed up with these ....
I am using Avast Anti Virus . it has been giving the indication of the malwares and i am moving those in to chest. still teh problem persists! pls help
I just installed some cracker software after that i have facing so many prblems .. when i open the IE popus are coming . i manually remove some of the DLL's in the startup menus and WINDOWS\SYSTEM32 dlls's . yesterday i download Ad-Aware and installed . it cathes some 161 infected and removes all . i restarted my system couple times but still the same probelm the popus are coming and now in my startup i can see Winsystem16.exe , I strogly belive that its a malware . pls help me . i am fed up with these ....
I am using Avast Anti Virus . it has been giving the indication of the malwares and i am moving those in to chest. still teh problem persists! pls help
0
Comments
click here to download HJTsetup.exe and save it to your Desktop
*Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the o a system scan and save a log button. It will scan and then ask you to save the log. * Name the log ;HJTLog; (or something similar ) and save it to your desktop,and post a log here.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Logfile of HijackThis v1.99.1
Scan saved at 7:16:29 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\winsystem16.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [Winsystem] C:\WINDOWS\system32\winsystem16.exe
O4 - HKLM\..\RunServices: [Winsystem] C:\WINDOWS\system32\winsystem16.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\WINDOWS\TEMP\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop
double click on fixthis.bat.
A window will open and close this is normal.
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Winsystem] C:\WINDOWS\system32\winsystem16.exe)
O4 - HKLM\..\RunServices: [Winsystem] C:\WINDOWS\system32\winsystem16.exe
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\WINDOWS\TEMP\svchost.exe
Close ALL open windows
Click Fix Checked
Close HiajckThis
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
Print out these instructions or save them with notepad or Word
Your log seems to be clean. To make sure, please download AVG Anti-Spyware to your desktop. When ready, do following:
- Start AVG Anti-Spyware
- Click the Update icon
- Click Start update
- Wait until updates are downloaded
- Click the Scanner icon
- Open the Settings tab
- Make sure that under "How to act?" read Quarantine
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" select Automatically generate report after every scan
- Under "What to scan?" select Scan every file
- Click the Shield icon
- Under the "Resident shield is" click active to make it inactive
- Close AVG Anti-Spyware
=========================================(If not, click the text and choose Quarantine)
and uncheck Only if threats were found
Reboot to safe mode
- If the computer is running, shut down Windows, and then turn off the power
- Wait 30 seconds, and then turn the computer on
- Start tapping the F8 key
- The Windows Advanced Options Menu appears
- Ensure that the Safe Mode option is selected
- Press Enter. The computer then begins to start in Safe mode
- Login on your usual account
=========================================delete these files C:\system32\ winsystem16.exe
- Close all open windows / programs / folders
- Start AVG Anti-Spyware
- Click the Scanner icon
- Click Complete System Scan
- Let the program scan the machine
- When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop
=========================================(If not, click the text and choose Quarantine)
Download Deckard's System Scanner to your Desktop.
* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open - Main.txt and extra.txt
Post fresh HijackThis log , Dss Main.txt and extra.txt the AVG Anti-Spyware report
I coudnt see the below 023 on my log . pls help
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\WINDOWS\TEMP\svchost.exe
I coudnt see the below 023 on my log .
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\WINDOWS\TEMP\svchost.exe
But i check below files
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Winsystem] C:\WINDOWS\system32\winsystem16.exe)
O4 - HKLM\..\RunServices: [Winsystem] C:\WINDOWS\system32\winsystem16.exe
done a fixchecked in Hijack
I gone in safe mode and i coudnt delete the C:\system32\ winsystem16.exe bcoz its not exists there .
in safe mode i ran AVG spyware and DSS.EXE.
once the AVG scan finished i click 'Apply all actions ' and it deletes 2 infected file it includes winsystem16.exe it asks for some correspoding file too . i click 'yes all'
i am attaching the reports here
AVG Report
AVG Anti-Spyware - Scan Report
+ Created at: 11:39:44 PM 3/21/2007
+ Scan result:
C:\WINDOWS\system32\winsystem16.exe -> Backdoor.SdBot.bdy : Cleaned with backup (quarantined).
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\I1OFEPQ5\installdrivecleanerstart[1].cab/UDC6_0001_D19M1908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : Cleaned with backup (quarantined).
::Report end
HIjack Log
Logfile of HijackThis v1.99.1
Scan saved at 11:49:45 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = **.***.***,**.***.***
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = **.***.***.**,**.***.***.**
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
I starred out the dsn name server
Main.txt & Extra.txt is attached ..
Thanks for your great help . much appreciated ! Please let me know need do anything more? I think still my problem exists the popus are coming .
Now i have a small issue too . while i restart the PC its trying to install 'sonic Update Manager' its asking to insert 'sonic Update Manger' disk ... please guide me ...
What Sonic software is currently installed ?
Rename Hijackthis.exe to Scanner.exe
Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
1.Roxio Sonic is installed in the PC
The error message showing while installing after login to PC was
"An installationpackage for the product sonic upadate manager cannot be found.Try the installation again using a valid copy of the package 'UM.MSI'"
2.pls see the undofix Report
VundoFix V6.3.17
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 5:56:42 PM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\drkhpcbe.dll
C:\WINDOWS\system32\efcyxuu.dll
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\iifeeff.dll
C:\WINDOWS\system32\iifffcy.dll
C:\WINDOWS\system32\jkkljjh.dll
C:\WINDOWS\system32\ljjgedc.dll
C:\WINDOWS\system32\ljjiige.dll
C:\WINDOWS\system32\mljkiji.dll
C:\WINDOWS\system32\opnnkkk.dll
C:\WINDOWS\system32\pmnmmli.dll
C:\WINDOWS\system32\pmnmmnm.dll
C:\WINDOWS\system32\ssqpopm.dll
C:\WINDOWS\system32\wvurqqq.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\efcyxuu.dll
C:\WINDOWS\system32\efcyxuu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebcb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifeeff.dll
C:\WINDOWS\system32\iifeeff.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifffcy.dll
C:\WINDOWS\system32\iifffcy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkljjh.dll
C:\WINDOWS\system32\jkkljjh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjgedc.dll
C:\WINDOWS\system32\ljjgedc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjiige.dll
C:\WINDOWS\system32\ljjiige.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljkiji.dll
C:\WINDOWS\system32\mljkiji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnnkkk.dll
C:\WINDOWS\system32\opnnkkk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnmmli.dll
C:\WINDOWS\system32\pmnmmli.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnmmnm.dll
C:\WINDOWS\system32\pmnmmnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqpopm.dll
C:\WINDOWS\system32\ssqpopm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurqqq.dll
C:\WINDOWS\system32\wvurqqq.dll Has been deleted!
Performing Repairs to the registry.
Done!
3.Please see the new Hijack file after ran Vundofix
Logfile of HijackThis v1.99.1
Scan saved at 6:08:02 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D7A76D80-1086-458A-8C2C-026BF9F4B823} - C:\WINDOWS\system32\iifeeff.dll (file missing)
O2 - BHO: (no name) - {F7340DAC-0654-4CCF-A4F3-91639B27343B} - C:\WINDOWS\system32\gebcb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ewiswcst.dll",setvm
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Awaiitng for your earliest reply ... Thanks
"Usually, a "UM.MSI" error means that the update manager may have become corrupted and needs to be reinstalled. To resolve there are three options:
Permanently remove the Sonic Update Manager. This will not affect the performance of any Sonic/Roxio software currently installed on the system.
Reinstall the application. If your software was bundled with hardware you may have to contact the manufacturer. While Sonic provides support for the software, the manufacturer of the bundle is in charge of any updates and replacements. Please visit the manufacturer's website for replacement discs and updates to your Sonic/Roxio software.
This may be caused by removing certain non-Sonic/Roxio applications that share file resources with our Sonic/Roxio software. To fix, you will need to replace these files with this fix utility:
http://tools.roxio.com/support/dell/isum_hotfix.exe
Be sure all Sonic and Roxio applications are shut down before launching this utility. This hotfix requires a reboot. No reinstallation of the software is necessary."
Download VirtumundoBegone and save it to your desktop.
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Select safe mode with networking using your arrow keys on the keyboard and then press enter.
When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
Once you are logged into safe mode, double-click VirtumundoBeGone.exe
file you just downloaded and follow the instructions.
Exit when it has finished, and reboot back to normal mode.
1)i uninstall Sonic Update Manager but now windowsa trying to instal Sonic activation module . its also looking for something form CD Drive .... throwing an error ""An installation package for the product sonic Activation Module cannot be found.Try the installation again using a valid copy of the package 'Active.MSI'"
2) Please see new hijack log after running VirtumundoBeGone.exe
Logfile of HijackThis v1.99.1
Scan saved at 8:45:32 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D7A76D80-1086-458A-8C2C-026BF9F4B823} - C:\WINDOWS\system32\iifeeff.dll (file missing)
O2 - BHO: (no name) - {F7340DAC-0654-4CCF-A4F3-91639B27343B} - C:\WINDOWS\system32\gebcb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ewiswcst.dll",setvm
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
3) Pls see the logfile VirtumundoBeGone.exe
03/22/2007, 20:41:31] - VirtumundoBeGone v1.5 ( "C:\Documents and
Settings\ABC\Desktop\VirtumundoBeGone.exe" )
[03/22/2007, 20:41:40] - Detected System Information:
[03/22/2007, 20:41:40] - Windows Version: 5.1.2600, Service Pack 2
[03/22/2007, 20:41:40] - Current Username: ABC (Admin)
[03/22/2007, 20:41:40] - Windows is in SAFE mode.
[03/22/2007, 20:41:40] - Searching for Browser Helper Objects:
[03/22/2007, 20:41:40] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/22/2007, 20:41:40] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/22/2007, 20:41:40] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/22/2007, 20:41:40] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[03/22/2007, 20:41:40] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/22/2007, 20:41:40] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/22/2007, 20:41:40] - BHO 7: {D7A76D80-1086-458A-8C2C-026BF9F4B823} ()
[03/22/2007, 20:41:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2007, 20:41:40] - Checking for HKLM\...\Winlogon\Notify\iifeeff
[03/22/2007, 20:41:40] - Key not found: HKLM\...\Winlogon\Notify\iifeeff, continuing.
[03/22/2007, 20:41:40] - BHO 8: {F7340DAC-0654-4CCF-A4F3-91639B27343B} ()
[03/22/2007, 20:41:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2007, 20:41:40] - Checking for HKLM\...\Winlogon\Notify\gebcb
[03/22/2007, 20:41:40] - Key not found: HKLM\...\Winlogon\Notify\gebcb, continuing.
[03/22/2007, 20:41:40] - Finished Searching Browser Helper Objects
[03/22/2007, 20:41:40] - Finishing up...
[03/22/2007, 20:41:40] - Nothing found! Exiting...
remove any Roxio and Sonic software from your computer
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O2 - BHO: (no name) - {D7A76D80-1086-458A-8C2C-026BF9F4B823} - C:\WINDOWS\system32\iifeeff.dll (file missing)
O2 - BHO: (no name) - {F7340DAC-0654-4CCF-A4F3-91639B27343B} - C:\WINDOWS\system32\gebcb.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ewiswcst.dll",setvm
Close ALL open windows
Click Fix Checked
Close HiajckThis
Reboot to safe mode
* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on
* Start tapping the F8 key
* The Windows Advanced Options Menu appears
* Ensure that the Safe Mode option is selected
* Press Enter. The computer then begins to start in Safe mode
* Login on your usual account
delete these files C:\system32\ ewiswcst.dll
After that, Reboot.
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 .
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 6
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
post a new HijackThis log and ActiveScan reportI was doing a avtive scan and Avast not allowing to download . it saying win32 virus there . so i stop Avast for a while to download the files from Panda website after doenload i activate Avast and do a scan
1) Activescan report
Incident Status Location
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@888[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@azjmp[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@www.drivecleaner[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@www.myaffiliateprogram[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ABC\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ABC\Local Settings\Temp\nsu5.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@atdmt[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@winantivirus[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@www.winantivirus[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-2462192113-1647427830-3507357908-1006\Dc1.txt
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx
2)Seee hijack log
Logfile of HijackThis v1.99.1
Scan saved at 1:49:28 PM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
/minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462
\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11
\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1
\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
3)Still my problem for sonic acitve module is there . windows trying to install it and coudnt find . i remove all sonic and roxio from add/remove program .. i dont know why ?
4) I am still worried becoz in active scan it found 25 + 3 spywares ....
I done my java update ...
Waiting for your earliest reply .... thanks for your help ....
previously windows installer is trying to install The sonic avctivation module when i strat my computer . now its asking for every time ... if i close the installation window after 2 mts it appreas ... pls help me
Give this a shot
1. Fix registry permissions
a. Click on "Start" choose "Run", then type "regedit" and click "OK".
b. In the Registry Editor, click on the "+" next to "HKEY_Local_Machine".
c. Now click on the "+" next to "Software".
d. Right-click on the key (folder) called "Roxio" and choose "Permissions".
e. Make sure that "Administrators" and "System" have checkmarks for "Full Control" - "Allow".( This does not apply in win2000!)
2.
f. If you had to add those checkmarks, click on "Apply".
g. Click on "Advanced".
h. Put a checkmark in "Replace permission entries on all child objects with the entries shown here that apply to child objects".
i. Click "OK".
j. Click "OK" again.
i noticed other things too if i uncheked
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
in the startup then its not asking for install the sonic avtivation module . i am not sure this is the way to do . pls advise
Please see post #14 for the Hijack log and active panda scan result for my actual probelm ... thanks for the earliest reply
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
Close ALL open windows
Click Fix Checked
Close HiajckThis
post a new HijackThis log
Hope you just see my post #14 for active panda scan with 28 items shown as malware stuffs.
1)Please see Active Scan log
Incident Status Location
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@888[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@azjmp[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@www.drivecleaner[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ABC\Cookies\ABC@www.myaffiliateprogram[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ABC\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ABC\Local Settings\Temp\nsu5.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@atdmt[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@winantivirus[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\AAA\Cookies\AAA@www.winantivirus[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-2462192113-1647427830-3507357908-1006\Dc1.txt
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx
2)please see the new Hijack Log .
Logfile of HijackThis v1.99.1
Scan saved at 7:40:17 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
/minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462
\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11
\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1
\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\actskn45.ocx
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database
Extended(If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
I deleted C:\WINDOWS\system32\actskn45.ocx manually
Please see KASPERSKY ONLINE SCANNER REPORT
KASPERSKY ONLINE SCANNER REPORT
Monday, March 26, 2007 1:27:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/03/2007
Kaspersky Anti-Virus database records: 285925
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 49964
Number of viruses found: 5
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:47:21
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\AAA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\MSHist012007032620070327\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\AAA\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-2462192113-1647427830-3507357908-1006\Dc1.txt Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000912.exe Infected: Backdoor.Win32.SdBot.bdy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001000.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001001.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001002.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001003.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001004.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001005.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001006.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001007.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001008.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001010.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001011.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001277.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\efcyxuu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\gebcb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\VundoFix Backups\iifeeff.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\iifffcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\jkkljjh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\ljjgedc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\ljjiige.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\mljkiji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\opnnkkk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\pmnmmli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\pmnmmnm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\ssqpopm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\VundoFix Backups\wvurqqq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hx skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\geebb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7dc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
2) New Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 1:30:11 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
/minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462
\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11
\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF18E48-E9F1-417C-9F3E-D03CA06BB183}: NameServer =
84.203.254.34,84.203.255.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1
\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Thanks for your replies. waiitng for your earliest reply.
Congratulations, your log looks clean!
You don't use any firewall ?
Please delete the following folder C:\ Vundo Backup
Please delete these files C:\WINDOWS\system32\geebb.dll
empty the recycle bin
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
- Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
- AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
- SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
- SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
- IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
- CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
- Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Kleinhttp://www.short-media.com/forum/showthread.php?t=43902
just an update
i coudnt see these files C:\WINDOWS\system32\geebb.dll ... do i need to do anything to detelte this? or this will be harmful to the PC? please advise
I just download the firewall protetion only .. is that fine?
Get ZoneAlarm® Firewall: Basic PC Protection
- Firewall protection only
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\WINDOWS\system32\geebb.dll
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/download...gfilesetup.exe)
ZoneAlarm® Firewall
When i Clicked the red-white Delete File option ( I choose 'Yes' to Delete on Reboot ) . It asks me 'File will be removes on Reboot. I click 'OK' Button and the system reboot.
Please see the logs of KILL.EXe
Pocket Killbox version 2.0.0.648
Running on Windows XP as AAA(Administrator)
was started @ Monday, March 26, 2007, 6:32 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\geebb.dll
Killbox Closed(Exit) @ 6:40:58 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as AAA(Administrator)
was started @ Monday, March 26, 2007, 6:41 PM
Killbox Closed(Exit) @ 6:41:33 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as AAA(Administrator)
was started @ Monday, March 26, 2007, 6:41 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\geebb.dll
I Rebooted @ 6:47:21 PM
Killbox Closed(Exit) @ 6:47:23 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as AAA(Administrator)
was started @ Monday, March 26, 2007, 6:50 PM
PendingFileRenameOperations registrydatahas been removed by External Process!.
PendingFileRenameOperations registrydatahas been removed by External Process!.
Thanks Peku... now panic over ... appreciate your efforts and time spending to solve my problems!