Can anyone help me to remove virus (RESOLVED)

Hi there,

I'm wondering if anyone can help me?

My computer has a virus, which is using almost all of my internet access. AVG finds nothing, and Adaware picks up two registry keys which keep replicating themselves. Could be something called Dreve.exe, or 'netini' (with 5 digits in front of it), both of which I found in the list of recent files.

I just deleted Dreve.exe but the problem is still there!! I can't delete the 'netini' application.

Here is a HijackThis log (it's very long sorry):

Logfile of HijackThis v1.99.1
Scan saved at 9:26:06 PM, on 26/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...Dhtml%26zy%3Dl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\byxywxy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [newname] c:\\newname25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [ccube_Cleanup] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cacu_001.e xe" /cleanup
O4 - HKLM\..\RunOnce: [ccube_Uninstall_Lock] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cazz_001.e xe" /null
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/082c26ed...p/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123577020750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: byxywxy - C:\WINNT\SYSTEM32\byxywxy.dll
O20 - Winlogon Notify: gebyxxu - C:\WINNT\SYSTEM32\gebyxxu.dll
O20 - Winlogon Notify: ljjkihf - C:\WINNT\SYSTEM32\ljjkihf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINNT\winmgr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe (file missing)

Hi,



Download AVG anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on ewido in the system tray and uncheck "Start with Windows".
3. Go to Start > Run and type: services.msc
4. Press "OK".
5. In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware 7.5 guard.
6. When you find the guard service, double-click on it.
7. In the Properties Window > General Tab that opens, click the "Stop" button.
8. From the drop-down menu next to "Startup Type", click on "Manual".
9. Now click "Apply", then "OK" and close the Services window.
10. Once the setup is complete you will need run AVG anti-spyware and update the definition files.
11. On the main screen select the icon "Update" then select the "Update now" link.
12. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, manually update with the AVG anti-spyware Full database installer from here.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"

• Select "Automatically generate report after every scan"
• Un-Select "Only if threats were found"

Close AVG anti-spyware Do Not run a scan yet.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

• Lauch AVG anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.

Now close AVG anti-spyware..

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Post a new hjackthis log please.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi again,
I did everything you suggested, with success up until I had to go into safe mode. It let me select safe mode but then wouldn't let me actually get into it. It showed the error message below, which I've been seeing for the last few days when I try to get into safe mode:

"***STOP: 0x0000000A (0xED51B354), 0x000000FF, 0x00000001, 0x80464109)
IRQL_NOT_LESS_OR_EQUAL
***Address 80464109 base at 8040000, DateStamp 4344ec59 - ntoskrnl.exe

If this is the first time you've seen this Stop error screen, restart your computer...."

The message goes on a bit more, telling me to check new programs etc. Any further suggestions would be appreciated. I've refrained from running the AVG scan, although it immediately informed me that there were several threats on the computer!

Many thanks.

Hi,


Run AVG from normal mode, post the log and a new hijackthis log please.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hello again,

AVG scan:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A V G A n t i - S p y w a r e - S c a n R e p o r t
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d a t : 1 2 : 5 8 : 0 9 P M 2 8 / 1 0 / 2 0 0 6

+ S c a n r e s u l t :

C : \ W I N N T \ s y s t e m 3 2 \ b y x y w x y . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ g e b x v s r . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ g e b y x x u . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ i i f d a b x . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ i i f e c a x . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ l j j j j g f . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ l j j k i h f . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ m l j j j i f . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ m l j j k h e . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ m l j j k k h . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ n n n o l m l . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ o p n l j h e . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ q o m j k j h . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ t u v t r o o . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ t u v u r q q . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ u r q q r r p . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ v t u u s s p . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ w v u s p q p . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ w v u t t s q . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ y a y v u v t . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ y a y y v w w . d l l - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N N T \ s y s t e m 3 2 \ C o m \ d r e v e . e x e - > D o w n l o a d e r . A d l o a d . f u : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .





: : R e p o r t e n d

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:08:37 PM, on 28/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\winmgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\cidaemon.exe
C:\Program Files\HijackTHis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\byxywxy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [newname] c:\\newname25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/082c26ed...p/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123577020750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: byxywxy - byxywxy.dll (file missing)
O20 - Winlogon Notify: gebyxxu - gebyxxu.dll (file missing)
O20 - Winlogon Notify: ljjkihf - ljjkihf.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINNT\winmgr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe (file missing)


I still can't get into safe mode.

Thanks again,
Velvet.

Thanks,


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi again,
Here are the logfiles:

VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.6

Scan started at 6:02:00 PM 30/10/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


Logfile of HijackThis v1.99.1
Scan saved at 6:15:58 PM, on 30/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\winmgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\byxywxy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [newname] c:\\newname25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/082c26ed...p/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123577020750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: byxywxy - byxywxy.dll (file missing)
O20 - Winlogon Notify: gebyxxu - gebyxxu.dll (file missing)
O20 - Winlogon Notify: ljjkihf - ljjkihf.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINNT\winmgr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe (file missing)


Thanks,
Velvet.

Different ways for safe mode:

http://support.microsoft.com/kb/315222


If you can get into safe mode do everything from post #2 please.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi there,

Managed to get into safe mode after I deleted Nero. The AVG scan found Dreve.exe (downloader) again even though I'd removed it previously, so it's being generated from somewhere else?! Ran BFU as suggested.

The AVG log saved as a blank document for some reason.

I tried to get on the net after I ran the scan and BFU, but the downloader still appears to be doing its thing.

Logfile of HijackThis v1.99.1
Scan saved at 10.21.50 PM, on 31/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\gebyyxu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/082c26ed...p/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123577020750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: byxywxy - byxywxy.dll (file missing)
O20 - Winlogon Notify: gebyxxu - gebyxxu.dll (file missing)
O20 - Winlogon Notify: gebyyxu - C:\WINNT\SYSTEM32\gebyyxu.dll
O20 - Winlogon Notify: ljjkihf - ljjkihf.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINNT\winmgr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe (file missing)

Thanks, Velvet.

Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.




Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Microsoft Windows Spooler Service.

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Microsoft Windows Spooler Service and press OK. OK any prompts, close HijackThis, and restart your computer.





* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"




* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\gebyyxu.dll

* In the next/second field, copy and paste the path to the reversed file:

C:\WINDOWS\system32\uxyybeg.*



* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Please re-scan with AVG anti-spyware after the above from safe mode if possible.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.