Need Help Removing Malware - Hijackthis log

Unknown · June 2007

Hi. I could really use some help in removing this malware. Here are my Activescan and Hijack this log files with my combo fix and vundofix files as well
Your help will be greatly appreciated. Thanks...

Panda active scan...

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\SYSTEM32\jkhhf.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\SYSTEM32\Process.exe
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINNT\SMDAT32M.SYS
Adware:adware/gator Not disinfected C:\WINNT\GatorPatch.log
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NIRCMD.EXE
Spyware:Spyware/Vundo Not disinfected C:\Documents and Settings\All Users\Application Data\SecTaskMan\adgadxej.dll.q_63AC634_q
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.adtech.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.as-eu.falkag.net/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.ath.belnk.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.belnk.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.dist.belnk.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.i.screensavers.com/]
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.metriweb.be/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.microsofteup.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.searchportal.information.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Christiane\Application Data\Mozilla\Firefox\Profiles\zuw8bu3g.default\COOKIES.TXT[.tribalfusion.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Spyware Removal Tools\VirtumundoBeGone.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Program Files\Spyware Removal Tools\ComboFix.exe[ComboFixT\nircmd.exe]

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 09:01:00 2007-06-07

Listing files found while scanning....

No infected files were found.

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 14:03:14 2007-06-07

Listing files found while scanning....

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 14:09:20 2007-06-07

Listing files found while scanning....

No infected files were found.

Beginning removal...

Combofix

"Haden" - 07/06/2007 8:51:50 Service Pack 4
ComboFix 07-06-3B - Running from: "C:\Program Files\Spyware Removal Tools\"

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-07 08:46 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_67c.dat
2007-06-06 15:50 <DIR> d

C:\Program Files\Photo-Screensavers.com
2007-06-06 13:21 <DIR> d

C:\Program Files\MSXML 6.0
2007-06-06 13:17 <DIR> d---s---- C:\DOCUME~1\Haden\UserData
2007-06-06 12:33 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\ArcSoft
2007-06-06 10:40 0 --a

C:\WINNT\SYSTEM32\vtuts.dll
2007-06-06 10:28 <DIR> d

C:\Program Files\Prevx2
2007-06-06 10:28 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Prevx
2007-06-06 10:28 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-06-06 09:49 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-06 09:13 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Tenebril
2007-06-06 09:11 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-06-06 09:08 180,224 --a

C:\WINNT\SYSTEM32\archlib.dll
2007-06-06 09:08 <DIR> d

C:\WINNT\SYSTEM32\tenarchlib
2007-06-05 23:32 679,951 --a

C:\WINNT\SYSTEM32\nqtwa.bak1
2007-06-05 14:58 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\AdobeUM
2007-06-05 09:48 <DIR> d

C:\Program Files\Spyware Removal Tools
2007-06-05 09:22 16,384 --a

C:\WINNT\SYSTEM32\Perflib_Perfdata_6a0.dat
2007-06-05 08:52 53,248 --a

C:\WINNT\SYSTEM32\Process.exe
2007-06-05 08:52 51,200 --a

C:\WINNT\SYSTEM32\dumphive.exe
2007-06-05 08:52 288,417 --a

C:\WINNT\SYSTEM32\SrchSTS.exe
2007-06-05 08:45 684,515 --a

C:\WINNT\SYSTEM32\fhhkj.bak2
2007-06-01 18:10 8,192 --a

C:\ntuser.dat
2007-06-01 17:52 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Lavasoft
2007-06-01 17:42 <DIR> d

C:\Program Files\Ultimate Fixer
2007-06-01 17:36 <DIR> d

C:\Program Files\Firefox
2007-06-01 15:09 <DIR> d

C:\Program Files\Common Files\Macrovision Shared
2007-06-01 15:09 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-01 14:51 684,515 --a

C:\WINNT\SYSTEM32\fhhkj.bak1
2007-06-01 14:51 263,220 --a

C:\WINNT\SYSTEM32\jkhhf.dll.vir
2007-05-31 17:27 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Google
2007-05-25 17:28 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Ahead
2007-05-25 17:22 82,432 --a

C:\WINNT\SYSTEM32\drmstor.dll
2007-05-25 17:22 301,712 --a

C:\WINNT\SYSTEM32\drmclien.dll
2007-05-25 09:31 <DIR> d

C:\Program Files\Common Files\ACD Systems
2007-05-25 09:15 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\ACD Systems
2007-05-25 09:00 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Real
2007-05-25 08:54 <DIR> d--h

C:\WINNT\PIF
2007-05-24 14:51 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Skype
2007-05-24 10:57 <DIR> d

C:\Program Files\Desktop Backgrounds
2007-05-24 10:40 <DIR> d

C:\Program Files\Icons
2007-05-24 10:36 16,384 --a

C:\WINNT\SYSTEM32\Perflib_Perfdata_1ac.dat
2007-05-23 13:47 <DIR> d

C:\DOCUME~1\Haden\log
2007-05-23 13:34 3,532 --a

C:\WINNT\SYSTEM32\tmp.reg
2007-05-23 13:25 77,312 --a

C:\WINNT\ua2.dll
2007-05-23 13:20 <DIR> d

C:\WINNT\Content.IE5
2007-05-23 12:26 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Autodesk
2007-05-23 12:23 <DIR> d

C:\quarantine
2007-05-23 12:17 <DIR> d

C:\Google Desktop Data
2007-05-23 12:16 1,220,608 --ah

C:\DOCUME~1\Haden\NTUSER.DAT
2007-05-23 12:16 <DIR> d

C:\DOCUME~1\Haden\APPLIC~1\Help
2007-05-23 10:50 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-21 08:54 <DIR> d

C:\DOCUME~1\Deirdre\APPLIC~1\ArcSoft
2007-05-11 13:33 <DIR> d

C:\Program Files\Skype
2007-05-11 13:33 <DIR> d

C:\Program Files\Common Files\Skype
2007-05-11 13:33 <DIR> d

C:\DOCUME~1\Deirdre\APPLIC~1\Skype
2007-05-11 13:33 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 14:50:46 313,921 ----a-w C:\WINNT\system32\etnz.scr
2007-04-13 16:55:38

d

w C:\Program Files\Lavasoft
2007-04-13 16:55:14

d

w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [22/10/06 23:08 ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}=C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [07/05/07 10:32 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [31/05/05 01:04 ]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [10/01/06 12:09 ]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [22/10/06 23:20 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"POINTER"="point32.exe" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [21/09/00 14:34 ]
"SxgTkBar"="SxgTkBar.exe" [10/04/00 08:10 C:\WINNT\SYSTEM32\sxgtkbar.exe]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [29/06/00 03:01 ]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/04 08:00 ]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/03 09:48 ]
"nwiz"="nwiz.exe" [28/07/03 15:19 C:\WINNT\SYSTEM32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/05 23:46 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [17/05/07 08:47 ]
"RegistryMechanic"="" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22/10/06 23:24 ]
"@=" []
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [03/06/07 15:59 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccywvu]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmiu32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll,c:\progra~1\google\google~2\goec62~1.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:55:49
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/06/2007 8:59:51

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 14:25, on 2007-06-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spyware Removal Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - (no file)
O2 - BHO: (no name) - {A6291EA0-7EEA-4B49-B38B-35829EDB91AB} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = okeeffearch.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = okeeffearch.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll,c:\progra~1\google\google~2\goec62~1.dll
O20 - Winlogon Notify: fccywvu - C:\WINNT\
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winmiu32 - C:\WINNT\
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

Baabiouz · June 2007

Hi and welcome to Icrontic!

#1.

Please visit Virustotal
* Click the Browse... button
* Navigate to the file C:\WINNT\SYSTEM32\archlib.dll
* Click the Open button
* Click the Send button
* Copy and paste the results back here

#2.

Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Ultimate Fixer

Please note any other programs that you dont recognize in that list in your next response

#3.

Open Vundofix

Right click the list box (white box) in the main VundoFix window.
Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste next in the first field: C:\WINNT\SYSTEM32\awtqn.dll
Copy and paste next in the second field: C:\WINNT\SYSTEM32\vtuts.dll
Add this file too:C:\WINNT\SYSTEM32\jkhhf.dll
Click the “Add Files” button.
Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

#4.

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - (no file)
O2 - BHO: (no name) - {A6291EA0-7EEA-4B49-B38B-35829EDB91AB} - (no file)
O20 - Winlogon Notify: fccywvu - C:\WINNT\
O20 - Winlogon Notify: winmiu32 - C:\WINNT\

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

#5.

Run AVG Anti-Spyware:

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

#6.

Please, send virustotal results, vundofix log, AVG Anti-Spyware and a fresh HjT log.

koseyboy · June 2007

Thanks for your help. I'm all fixed now. Thanks again and sorry for any inconvienience.

Baabiouz · June 2007

Have you done those?

Please, send virustotal results, vundofix log, AVG Anti-Spyware and a fresh HjT log.

koseyboy · June 2007

I got it sorted myself thanks. Had a friend check out the computer and he sorted it all out for me. Thanks again and can you please close this thread. Thank you :smiles:

Baabiouz · June 2007

Okay.. (i can't close.. )

Baabiouz · July 2007

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead

Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here

Need Help Removing Malware - Hijackthis log

Comments