Adware Problem(RESOLVED)

Erich · #1 (**permalink**) 28-05-2007, 06:18 PM

My computer has been randomly popping some sort of antivirus ad. It has been also having some problems when I shut it down and turn it back on. For some reason, when I do this, it takes much longer than normal (about a minute and a half) to turn off or to go from the windows loading screen to the loagging screen. After I'm able to log in, it takes about another minute for the start bar and the icons to appear. I think I most have some type of adware or virus, please help

Thanks, here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:47 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erich\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __c0017BA9 - C:\WINDOWS\system32\__c0017BA9.dat
O20 - Winlogon Notify: __c0019DF9 - C:\WINDOWS\system32\__c0019DF9.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Neal · #2 (**permalink**) 29-05-2007, 02:48 AM

Welcome,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Erich · #3 (**permalink**) 29-05-2007, 07:23 AM

SDFix Report:

SDFix: Version 1.85

Run by Erich - Mon 05/28/2007 - 22:14:24.92

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Erich\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2

34 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\Erich\Desktop\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Erich · #4 (**permalink**) 29-05-2007, 04:43 PM

Today, when I turned on my computer, the "finished" I was waiting to appear after rebooting the computer in safe mode finally appeared. So the information given above most be inconclusive. I'm sorry about that. Here is the new actualized report:

SDFix Report:

SDFix: Version 1.85

Run by Erich - Mon 05/28/2007 - 22:14:24.92

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Erich\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Checking For Files with Hidden Attributes:

Finished

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:59 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __c0017BA9 - C:\WINDOWS\system32\__c0017BA9.dat
O20 - Winlogon Notify: __c0019DF9 - C:\WINDOWS\system32\__c0019DF9.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Neal · #5 (**permalink**) 29-05-2007, 07:49 PM

SDFix should it did not find the files but they are gone now so it looks like it nailed them anyway.

Now let's go after the other infection you have.

Thanks,

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please like this:

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Erich · #6 (**permalink**) 29-05-2007, 11:27 PM

VundoFix Log

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 6:00:25 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 6:02:52 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:39 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __c0017BA9 - C:\WINDOWS\system32\__c0017BA9.dat
O20 - Winlogon Notify: __c0019DF9 - C:\WINDOWS\system32\__c0019DF9.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Combofix log:

"Erich" - 2007-05-29 18:14:24 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Erich\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) )))))

C:\WINDOWS\system32\woxymspw.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\WINDOWS\j.exe"

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

2007-05-29 18:00 <DIR> d-------- C:\VundoFix Backups
2007-05-28 21:32 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-05-28 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-05-28 12:36 <DIR> d-------- C:\WINDOWS\CSC
2007-05-27 23:59 405 --a------ C:\xcrashdump.dat
2007-05-27 22:22 <DIR> d-------- C:\DOCUME~1\Erich\APPLIC~1\Lavasoft
2007-05-27 18:32 35,840 --a------ C:\WINDOWS\system32\__c0019DF9.dat
2007-05-27 18:32 35,840 --a------ C:\WINDOWS\system32\__c0017BA9.dat
2007-05-27 18:32 35,840 --a------ C:\WINDOWS\j.exe.dat
2007-05-27 17:20 124,436 --a------ C:\WINDOWS\system32\xwitekxg.dll
2007-05-27 12:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-05-27 12:27 <DIR> d-------- C:\Program Files\Nero
2007-05-27 00:14 <DIR> d-------- C:\DOCUME~1\Erich\APPLIC~1\Ahead
2007-05-05 13:20 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-05-05 13:20 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-05-05 13:20 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-05-05 13:20 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-05-05 13:20 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-05-05 13:20 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-05-05 13:19 5,376 --------- C:\WINDOWS\system32\drivers\udffsrec.sys
2007-05-05 13:19 38,784 --------- C:\WINDOWS\system32\drivers\ivicd.sys
2007-05-05 13:19 21,060 --a------ C:\WINDOWS\system32\iviaspi.sys
2007-05-05 13:19 21,060 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-05-05 13:19 126,592 --------- C:\WINDOWS\system32\drivers\IviUdf.sys
2007-05-05 13:19 <DIR> d-------- C:\Program Files\InterVideo
2007-05-05 13:10 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-05-05 13:10 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-05-05 13:10 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-05-05 13:10 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2007-05-05 13:10 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2007-05-05 13:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Minnetonka Audio Software

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2007-05-29 21:55:27 -------- d-----w C:\DOCUME~1\Erich\APPLIC~1\uTorrent
2007-05-29 16:28:44 35,840 ----a-w C:\WINDOWS\system32\__c0019DF9.dat
2007-05-29 06:36:04 -------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2007-05-29 01:58:49 35,840 ----a-w C:\WINDOWS\system32\__c0017BA9.dat
2007-05-27 23:38:22 -------- d-----w C:\Program Files\MSN Messenger
2007-05-23 03:58:17 -------- d-----w C:\Program Files\Winamp
2007-05-05 17:42:49 -------- d-----w C:\Program Files\QuickTime
2007-05-05 17:20:40 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-01 00:49:22 -------- d-----w C:\DOCUME~1\Erich\APPLIC~1\U3
2007-04-17 02:50:26 -------- d-----w C:\DOCUME~1\Erich\APPLIC~1\Apple Computer
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-07 23:51:00 129,784 ------w C:\WINDOWS\system32\pxafs.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{34C311E7-C310-4E94-8D98-FEB18A82FB73}=C:\WINDOWS\system32\xwitekxg.dll [2007-05-27 17:20]
{4B646AFB-9341-4330-8FD1-C32485AEE619}=C:\WINDOWS\system32\woxymspw.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 02:22]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-05-18 15:26]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 04:45]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 10:57]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 16:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0017BA9]
C:\WINDOWS\system32\__c0017BA9.dat

Combofix (quarantined files) Log:

Code:

2007-05-27 17:26      50745    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\woxymspw.dll.vir
2007-05-27 18:32      52736    --a------    C:\Qoobox\Quarantine\C\WINDOWS\j.exe.vir


Folder PATH listing
Volume serial number is ECDD-094C
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       |   j.exe.vir
    |       |   
    |       \---system32
    |               woxymspw.dll.vir
    |               
    \---Registry_backups

"Foolyou" log:
Logfile of HijackThis v1.99.1
Scan saved at 6:16:46 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\foolyou.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __c0017BA9 - C:\WINDOWS\system32\__c0017BA9.dat
O20 - Winlogon Notify: __c0019DF9 - C:\WINDOWS\system32\__c0019DF9.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Neal · #7 (**permalink**) 30-05-2007, 02:41 AM

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste this 1 entries below into the top box

C:\WINDOWS\system32\xwitekxg.dll

Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Then...

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next files:one at a time

C:\WINDOWS\system32\__c0019DF9.dat
C:\WINDOWS\system32\__c0017BA9.dat
C:\WINDOWS\j.exe.dat
C:\WINDOWS\system32\ssprs.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

Thanks

Erich · #8 (**permalink**) 30-05-2007, 04:44 AM

VundoFix Log:

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 6:19:04 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:54:12 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:55:25 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10

23 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:59:29 PM 5/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xwitekxg.dll
C:\WINDOWS\system32\xwitekxg.dll Has been deleted!

Performing Repairs to the registry.
Done!

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:55 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\foolyou.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C311E7-C310-4E94-8D98-FEB18A82FB73} - C:\WINDOWS\system32\xwitekxg.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\woxymspw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F6DC1E5-32D0-4028-942D-2EF07F9F59AE} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __c0017BA9 - C:\WINDOWS\system32\__c0017BA9.dat
O20 - Winlogon Notify: __c0019DF9 - C:\WINDOWS\system32\__c0019DF9.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

C:\WINDOWS\system32\__c0019DF9.dat Scan:

Complete scanning result of "__c0019DF9.dat", received in VirusTotal at 05.30.2007, 05:10:58 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 TR/Hijack.Zeroups
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.29.2007 no virus found
BitDefender 7.2 05.30.2007 Trojan.Vmcopup.A
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.29.2007 Trojan.DownLoader.22964
eSafe 7.0.15.0 05.29.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.30.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 05.29.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 05.30.2007 Packed.Win32.Morphine.a
McAfee 5041 05.29.2007 no virus found
Microsoft 1.2503 05.29.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2296 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 W32/BHO.QG
Panda 9.0.0.4 05.30.2007 Suspicious file
Prevx1 V2 05.30.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.30.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.29.2007 no virus found
Webwasher-Gateway 6.0.1 05.30.2007 Trojan.Hijack.Zeroups

Aditional Information
File size: 35840 bytes
MD5: d5dfea21649b74b0612a6b051e984405
SHA1: 83b09798a305524e30926d5ecf993cefe7fea432
packers: MORPHINE

C:\WINDOWS\system32\__c0017BA9.dat Scan:

Complete scanning result of "__c0017BA9.dat", received in VirusTotal at 05.30.2007, 05:25:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.1 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 TR/Hijack.Zeroups
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.29.2007 no virus found
BitDefender 7.2 05.30.2007 Trojan.Vmcopup.A
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.29.2007 Trojan.DownLoader.22964
eSafe 7.0.15.0 05.29.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.30.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 05.29.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 05.30.2007 Packed.Win32.Morphine.a
McAfee 5041 05.29.2007 no virus found
Microsoft 1.2503 05.29.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2296 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 W32/BHO.QG
Panda 9.0.0.4 05.30.2007 Suspicious file
Prevx1 V2 05.30.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.30.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.29.2007 no virus found
Webwasher-Gateway 6.0.1 05.30.2007 Trojan.Hijack.Zeroups

Aditional Information
File size: 35840 bytes
MD5: d5dfea21649b74b0612a6b051e984405
SHA1: 83b09798a305524e30926d5ecf993cefe7fea432
packers: MORPHINE

C:\WINDOWS\j.exe.dat Scan:

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 TR/Hijack.Zeroups
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.29.2007 no virus found
BitDefender 7.2 05.30.2007 Trojan.Vmcopup.A
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.29.2007 Trojan.DownLoader.22964
eSafe 7.0.15.0 05.29.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.30.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 05.29.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 05.30.2007 Packed.Win32.Morphine.a
McAfee 5041 05.29.2007 no virus found
Microsoft 1.2503 05.29.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2296 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 W32/BHO.QG
Panda 9.0.0.4 05.30.2007 Suspicious file
Prevx1 V2 05.30.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.30.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.29.2007 no virus found
Webwasher-Gateway 6.0.1 05.30.2007 Trojan.Hijack.Zeroups

Aditional Information
File size: 35840 bytes
MD5: d5dfea21649b74b0612a6b051e984405
SHA1: 83b09798a305524e30926d5ecf993cefe7fea432
packers: MORPHINE

C:\WINDOWS\system32\ssprs.dll Scan:

Complete scanning result of "ssprs.dll", received in VirusTotal at 05.30.2007, 05:39:26 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.29.2007 no virus found
BitDefender 7.2 05.30.2007 no virus found
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.29.2007 no virus found
eSafe 7.0.15.0 05.29.2007 no virus found
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.30.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.30.2007 no virus found
McAfee 5041 05.29.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2296 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 no virus found
Panda 9.0.0.4 05.30.2007 no virus found
Prevx1 V2 05.30.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.30.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.29.2007 no virus found
Webwasher-Gateway 6.0.1 05.30.2007 no virus found

Aditional Information
File size: 73 bytes
MD5: 4aa1108231e158a00afbde5c719e54ee
SHA1: 958a051c7f12ccf5739296b82b6b2091fb145d93

Neal · #9 (**permalink**) 30-05-2007, 06:40 PM

Do you have an anti-virus program? I don't see one!

That is a must have plus a firewall!

Pick one of the below, only one:

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

Firewall, only one:

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm

Zone Labs Personal Firewall:
Zone Labs

Run a scan with your new anti-virus program and then:

You may want to printout the following instructions:

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to the words Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update successful message.
- Click on Scanner on the toolbar at top of this screen.
- Click on the Settings tab.
  - Under How to act?
    - Click on Recommended Action and choose Quarantine from the popup menu.
  - Under How to scan?
    - All checkboxes should be ticked.
  - Under Possibly unwanted software:
    - All checkboxes should be ticked.
  - Under Reports:
    - Select Automatically generate report after every scan and uncheck Only if threats were found.
  - Under What to scan?
    - Select Scan every file.
- Close AVG Anti-Spyware without running yet.

Now disable (turn off AVG Anti-Spyware)

Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Note: If AVG Anti-Spyware screen does not fit your monitor screen Hold down the Alt button on keyboard then tap spacebar, menu should pop up then choose maximize. AVG Anti-Spyware screen should now fit to the screen a lot better.

Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.

IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button.(3)

When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop. I will need you to post this in your next reply.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Post the AVG log and a new hijackthis log please.

Erich · #10 (**permalink**) 31-05-2007, 06:17 AM

AVG Anti-Spyware Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:02:16 AM 5/31/2007

+ Scan result:

C:\System Volume Information\_restore{72F85FCA-D0AD-4E07-83A7-9DBD41C3FB36}\RP162\A0016205.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{72F85FCA-D0AD-4E07-83A7-9DBD41C3FB36}\RP160\A0016105.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).

::Report end

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:24 AM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Erich\Desktop\hijackthis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)