virus problem

Unknown

Hi all i wander if you can help me please, I am trying to help a friend out who has a virus problem, here is his hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:37, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\UPHClean\uphclean.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\AltBinz\altbinz.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Windows Defender\MsMpEng.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\Documents and Settings\swampy\Desktop\HiJackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1BB1D438-E5FE-4343-A97D-760599EF6353} - E:\WINDOWS\system32\mlJDutqr.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - E:\WINDOWS\system32\nnnmnoli.dll (file missing)
O2 - BHO: {7138a472-b842-e5f9-8fa4-912945dae982} - {289ead54-9219-4af8-9f5e-248b274a8317} - E:\WINDOWS\system32\uhogwwkr.dll (file missing)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\isfjbsrs.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM7fc6f376] Rundll32.exe "E:\WINDOWS\system32\nxuuyhlj.dll",s
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: nnnmnoli - nnnmnoli.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4184 bytes

Thanks very much for all your help in advance

Veka

Hi ste26,

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

Please do a system scan with HijackThis, and check the boxes next to all the entries listed below

O2 - BHO: (no name) - {1BB1D438-E5FE-4343-A97D-760599EF6353} - E:\WINDOWS\system32\mlJDutqr.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - E:\WINDOWS\system32\nnnmnoli.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - E:\WINDOWS\system32\nnnmnoli.dll (file missing)
O2 - BHO: {7138a472-b842-e5f9-8fa4-912945dae982} - {289ead54-9219-4af8-9f5e-248b274a8317} - E:\WINDOWS\system32\uhogwwkr.dll (file missing)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\isfjbsrs.dll
O4 - HKLM\..\Run: [BM7fc6f376] Rundll32.exe "E:\WINDOWS\system32\nxuuyhlj.dll",s
O20 - Winlogon Notify: nnnmnoli - nnnmnoli.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

ste26

Hi Vekarppe,

My friends pc seems better than it was.

Here are the results from the mbam log:-

Malwarebytes' Anti-Malware 1.11
Database version: 619

Scan type: Quick Scan
Objects scanned: 31082
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\nvcoi (Trojan.Stars) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7fc6f376 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
E:\Program Files\JavaCore (Trojan.Downloader) -> No action taken.
E:\Program Files\nvcoi (Trojan.Stars) -> No action taken.

Files Infected:
E:\WINDOWS\b153.exe (Trojan.Agent) -> No action taken.
E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\93ZE2ICG\c70bfcdfc030e694a9d4fcbd6c8484af[1].zip (Trojan.Dropper) -> No action taken.
E:\Program Files\JavaCore\JavaCore.exe (Trojan.Downloader) -> No action taken.
E:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> No action taken.
E:\Program Files\nvcoi\mst.stt (Trojan.Stars) -> No action taken.
E:\WINDOWS\system32\nxuuyhlj.dll (Trojan.Agent) -> No action taken.

Here is the hijack this log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:54, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\UPHClean\uphclean.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\swampy\Desktop\HiJackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3434 bytes

Thanks again for all your help

Ste26

Veka

Hi, why MBAM says "no action taken?"

Please do a scan with Kaspersky Online Virus Scan

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop

ste26

Hi,

Kaspersky result as follows :-

---

KASPERSKY ONLINE SCANNER REPORT
Sunday, April 13, 2008 10:48:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/04/2008
Kaspersky Anti-Virus database records: 702181

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 69994
Number of viruses found: 7
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 01:00:09

Infected Object Name / Virus Name / Last Action
E:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04122008-155249.log Object is locked skipped
E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\cert8.db Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\formhistory.dat Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\history.dat Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\key3.db Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\parent.lock Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\search.sqlite Object is locked skipped
E:\Documents and Settings\swampy\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\urlclassifier2.sqlite Object is locked skipped
E:\Documents and Settings\swampy\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\swampy\Desktop\backups\backup-20080413-155727-354.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5FF26239-3294-4A4E-9737-91E6CF747330} Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Microsoft\Windows Live Contacts\swampy1111@hotmail.co.uk\real\members.stg Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Microsoft\Windows Live Contacts\swampy1111@hotmail.co.uk\shadow\members.stg Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\Cache\_CACHE_001_ Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\Cache\_CACHE_002_ Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\Cache\_CACHE_003_ Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kspjm6h.default\Cache\_CACHE_MAP_ Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\Acr5489.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\flaFE.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\NERO13349\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
E:\Documents and Settings\swampy\Local Settings\Temp\~DFB5DE.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\~DFB603.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\~DFBFA8.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temp\~DFC292.tmp Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\TJVDCFKV\rld[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
E:\Documents and Settings\swampy\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\swampy\ntuser.dat.LOG Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP33\A0015248.exe/data.rar/crack.exe Infected: Packed.Win32.Monder.gen skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP33\A0015248.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iwh skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP33\A0015248.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ugy skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP33\A0015248.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ugy skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP33\A0015248.exe RarSFX: infected - 4 skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP35\A0015294.dll Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP36\A0015317.dll Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP36\A0015324.dll Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP36\A0015325.dll Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP38\A0015375.dll Object is locked skipped
E:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP39\A0018360.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\h323log.txt Object is locked skipped
E:\WINDOWS\system32\iepeyiti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
E:\WINDOWS\system32\onkraylw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\d backup\new downloads\apps\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
F:\d backup\new downloads\apps\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
F:\d backup\new downloads\apps\mirc621.exe NSIS: infected - 2 skipped
F:\dvddsp\Cucusoft DVD to PSP Converter (Apps 2008 English)\Download_DVD2PSPReg.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
F:\dvddsp\Download_DVD2PSPReg.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP32\A0013540.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
F:\System Volume Information\_restore{F2C7954A-BCC9-43A0-ADFF-69051A2BB175}\RP40\change.log Object is locked skipped

Scan process completed.

Thanks

Ste26

Veka

Hello,

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==================================================

Please download the OTMoveIt2 by OldTimer

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  E:\Documents and Settings\swampy\Desktop\backups\backup-20080413-155727-354.dll
  E:\Documents and Settings\swampy\Local Settings\Temp\NERO13349\Toolbar.exe
  E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\TJVDCFKV\rld[1]
  E:\WINDOWS\system32\iepeyiti.dll
  E:\WINDOWS\system32\onkraylw.dll
  F:\dvddsp\Cucusoft DVD to PSP Converter (Apps 2008 English)\Download_DVD2PSPReg.exe
  F:\dvddsp\Download_DVD2PSPReg.exe
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

==================================================

Please post the OTMoveIt2 log along with a fresh HijackThis.

ste26

Hi,

Here is the new hijackthis log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:27, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\UPHClean\uphclean.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\Program Files\AltBinz\altbinz.exe
E:\Documents and Settings\swampy\Desktop\OTMoveIt2.exe
E:\Documents and Settings\swampy\Desktop\HiJackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3801 bytes


And the ot movieit log results as follows:-

DllUnregisterServer procedure not found in E:\Documents and Settings\swampy\Desktop\backups\backup-20080413-155727-354.dll
E:\Documents and Settings\swampy\Desktop\backups\backup-20080413-155727-354.dll NOT unregistered.
E:\Documents and Settings\swampy\Desktop\backups\backup-20080413-155727-354.dll moved successfully.
File/Folder E:\Documents and Settings\swampy\Local Settings\Temp\NERO13349\Toolbar.exe not found.
< E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\TJVDCFKV\rld[1] >
File/Folder E:\Documents and Settings\swampy\Local Settings\Temporary Internet Files\Content.IE5\TJVDCFKV\rld[1] not found.
DllUnregisterServer procedure not found in E:\WINDOWS\system32\iepeyiti.dll
E:\WINDOWS\system32\iepeyiti.dll NOT unregistered.
E:\WINDOWS\system32\iepeyiti.dll moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\system32\onkraylw.dll
E:\WINDOWS\system32\onkraylw.dll NOT unregistered.
E:\WINDOWS\system32\onkraylw.dll moved successfully.
F:\dvddsp\Cucusoft DVD to PSP Converter (Apps 2008 English)\Download_DVD2PSPReg.exe moved successfully.
F:\dvddsp\Download_DVD2PSPReg.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04142008_153500

Thanks again for all your help

Ste26

Veka

How is your computer doing now?

ste26

me mates pc is working great now ty very much for all your help, much appreciated :-)

Veka

Very good.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clean up System Restore

You can find instructions on how to disable and enable System Restore from these guides:

Disable And Enable System Restore
Windows XP System Restore Guide

Make Your Internet Explorer More Secure

This can be done by following these simple instructions:

• From within Internet Explorer click on the tools menu and then click on Options
• Click once on the "Security" tab
• Click once on the "Internet" icon so it becomes highlighted
• Click once on the Custom Level button.
  • Change the "Download signed ActiveX" controls to Prompt
  • Change the "Download unsigned ActiveX" controls to Disable
  • Change the "Initialize and script ActiveX controls" not marked as safe to Disable
  • Change the "Launching programs and files in an IFRAME" to Prompt
  • Change the "Navigate sub-frames across different domains" to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Note that Internet Explorer is not the most secure browser. There are safer (and better) alternatives available like Opera and Firefox.

Keep Your System Up to date

It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update site regularly.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Additional Utilities and Tips to Enhance Your Safety

• MVPS Hosts file --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Comodo BOCLEAN --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• Winpatrol --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software

Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:

• How to prevent Malware by miekiemoes
• So How Did I Get Infected In First Place by Tony Klein
• Ten Commandments for Your Computer Sanity by BitDefender

Happy surfing and stay clean!

Veka

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.