Jump to content


Photo

Ad-aware not working


  • This topic is locked This topic is locked
10 replies to this topic

#1 Mitch

Mitch

    Member

  • Members
  • 30 posts

Posted 14 June 2006 - 07:58 AM

Hello There,

Can somebody help me out?

I ran my Norton Antivirus, ewido, trend micro, and microsoft scanner and they all cleaned off a ton of viruses and spyware but when I run my Ad-aware it freezes up after a few seconds....hmmm...so I decided to run a Hijackthis log to see if there is something else on my computer that may be causing this problem.

Here is my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 8:48:04 AM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\SYSWB6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Winkb6.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.c...0409&os=5&src=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: (no name) - {58800204-a2b3-4536-b87a-04997d4228a4} - C:\WINDOWS\system32\avtmos.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\ddcyv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O20 - Winlogon Notify: avtmos - C:\WINDOWS\SYSTEM32\avtmos.dll
O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\SYSTEM32\ddcyv.dll
O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: sstts - sstts.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you for your help,
Mitch :)

#2 stitch1

stitch1

    Member

  • Members
  • 59 posts
  • Location:merry green isle!!



Posted 14 June 2006 - 08:43 AM

i didnt look at the HJT log but try the trial version of "Xoftspy", its a brilliant little piece of software that will find everything bad on your system.

i found advise to try it in another forum and i found infections on my system that nothing else would find! no need to uninstall adaware to use it and there is no need to buy if you dont like it.

wait until a Forum Staff Member or a Member of the Trusted HJT Advisor Group has reviewed and approved any advice given here before proceeding any further...... Jacee
http://forums.pcpits...howtopic=101899

Edited by Jacee, 14 June 2006 - 10:23 AM.


#3 Mitch

Mitch

    Member

  • Members
  • 30 posts

Posted 18 June 2006 - 02:30 PM

Hello, I wanted to add another comment to my previous Hijack this log. I dl and installed the Trend Micro PC-cillin AV, AS, AHacker software and it found two viruses that it cannot delete but it did give me the names of them..... They are called (Trojan) Conhook.AH and it is under C:\windows\system32\AVTMOS.dll and the second one is called (Trojan) Conhook.H and it is under C:\windows\system32\ddcyv.dll Can you help me delete these off of my computer? Thanks, Mitch :)

#4 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 18 June 2006 - 03:11 PM

Hi Mitch, sorry about the wait. Another member decided to change your post count and it looked like you were being helped.

I want to make sure you know your have these installed: C:\WINDOWS\system32\SYSWB6.exe and C:\WINDOWS\system32\Winkb6.exe. They seem to deal with parental software. I would also like to make sure you placed these in your Host file:
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com

You have a nasty vundo infection, looks like two of them, please follow the instructions here:

http://www.atribune....tent/view/24/2/ Once that is done, then do this:


(some items may be gone, removed by VundoFix so do not be concerned, just do not miss any)

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: (no name) - {58800204-a2b3-4536-b87a-04997d4228a4} - C:\WINDOWS\system32\avtmos.dll
O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: avtmos - C:\WINDOWS\SYSTEM32\avtmos.dll
O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\SYSTEM32\ddcyv.dll
O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
O20 - Winlogon Notify: sstts - sstts.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Post a new HJT log along with any comments you think will help. This is a start and we may well have more work to do??

Your Java program is outdated and speculation is that this is how Vundo is getting in:
C:\Program Files\Java\j2re1.4.2\bin\ <<< outdated. Use the information in this link to fix that security breach:
http://forums.spybot...880&postcount=2

Thanks...pskelley
Trusted HJT Advisor
PCPitStop forum

#5 Mitch

Mitch

    Member

  • Members
  • 30 posts

Posted 19 June 2006 - 12:00 AM

Hello Kelly,
Thank you for the help.

I did what you said.

After uninstalling the older version of Java, I decided not to reinstall the newer version just yet. By the way, do I really need to install Java?

The answer to your question about the SYSWB6 and Winkb6 is that I had that installed to filter out bad websites. It is called WE-Blocker and it is free. By the way, what is a Host file?

The only two line items that I couldn't check off to "fix" when I did a hijack this scan was the ATLdistrib Object and the Winlogon notify:gebyw - C:\Windows\system32\gebyw.dll

Anyway here is updated Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:56 AM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.c...0409&os=5&src=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {58800204-a2b3-4536-b87a-04997d4228a4} - C:\WINDOWS\system32\avtmos.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\ddcyv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: avtmos - C:\WINDOWS\SYSTEM32\avtmos.dll
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\SYSTEM32\ddcyv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks,
Mitch

P.S. - I forgot to tell you that when I did the CCleaner thing, they found 218 items to repair but they would only fix 20 items without making my pay so I only did 20 items.

Plus it looks like I still have the viruses even after I "fixed" them with the Hijack this scan.....hmmmm....but my Trend Micro AV software is no longer freaking out like before so my computer is acting like they have been removed....hmmm..strange.

Edited by Mitch, 19 June 2006 - 12:10 AM.


#6 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 19 June 2006 - 02:20 PM

After uninstalling the older version of Java, I decided not to reinstall the newer version just yet. By the way, do I really need to install Java?

That would be up to you, a lot of things are not going to work without either the the Microsoft® Java Virtual Machine (MSJVM), Sun Microsystems software, read about it in these links:
http://www.microsoft.com/mscorp/java/
http://www.sun.com/java/

P.S. - I forgot to tell you that when I did the CCleaner thing, they found 218 items to repair but they would only fix 20 items without making my pay so I only did 20 items

CCleaner is free, I use it on three machines all of the time. I have no idea what choices you made when downloading to get it to ask you to pay? Try removing it and downloading it again.

Here is a nice cleaning tool if you want to try it, download link and screenshots of the tool are here:
http://www.atribune....?showtopic=1332


The two lines you mentioned was the vundo trojan, and I was hoping VundoFix would also remove:

O2 - BHO: (no name) - {58800204-a2b3-4536-b87a-04997d4228a4} - C:\WINDOWS\system32\avtmos.dll
O20 - Winlogon Notify: avtmos - C:\WINDOWS\SYSTEM32\avtmos.dll


O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\SYSTEM32\ddcyv.dll

These are trojans no doubt, the first one does not even identify, the second is: http://se.trendmicro...=TROJ_CONHOOK.H
and Trend offers removal instruction if you want to try them??

I would like to see if the free trial version of SpySweeper will remove them. Hard to find the free trial version, use this link:
http://www.webroot.c...er/latestv.html
scroll all the way down until you see: Spy Sweeper 4.5 - Free Trial
Then use these instructions:
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

also post a new HJT log.

Thanks.

#7 Mitch

Mitch

    Member

  • Members
  • 30 posts

Posted 24 June 2006 - 09:02 PM

Hello pskelley, I tried to do what you said but my Internet Explorer is completely shut down now. So I used my other computer to go to Trend Micro website to get directions on how to get rid of this virus. My question is when they (Trend) says to type in the "malware file name" to be deleted, what does the malware file name look like exactly? can you give me an example please? Thanks, Mitch :)

#8 Mitch

Mitch

    Member

  • Members
  • 30 posts

Posted 25 June 2006 - 06:36 AM

Hello pskelley, I forgot to mention that when I tried to click on your link to webroot my safety filter blocked it so I un-installed it (We Blocker) and when I did that my internet explorer shut down completely so I tried to get to the webroot link from my other computer but I first just turned off the WE Blocker and that also shut down my internet explorer?? I don't understand why that happened? hmmmm..... Mitch :)

#9 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 25 June 2006 - 06:38 AM

Hey Mitch, sorry you are having so many problems :geezer: There are lots of good tools but if you can't use them?

tried to do what you said but my Internet Explorer is completely shut down now

In the event these infections have corrupted or deleted a necessary file, try running system file checker. Have your Windows CD handy in the event the file can't be located on the computer.
http://www.updatexp....cannow-sfc.html

When Trend is asking for the file name, it wants the complete pathway of the file, this is an example: C:\WINDOWS\SYSTEM32\avtmos.dll

Let me know if I can help more, you can get a quick PM to me here:
http://forums.pcpits...?showuser=24733

Thanks...Phil

#10 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 25 June 2006 - 06:50 AM

Sorry Mitch but I have no knowledge of the WE Bloacker, but it sure sounds like it is involved in your trouble with Internet Explorer.
Here is a little info from CastleCops: http://www.castlecop...plist-4400.html and the website: http://weblocker.fameleads.com/
http://weblocker.fam...pport/index.asp <<< there is a toll free number near the bottom. As I said, I have not seen this software installed before. You might want to query tech support about the issues it is causing.

I will also suggest that I am trying to find a program that will remove the balance of your malware, if you can't get SpySweeper, then try the new ewido 30 day trial. It will work best if run in safe mode.

ewido 4.0 instructions by rstones

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Restart so the changes can be made and post the ewido scan report and a new HJT log.

Hope this helps...Phil

#11 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 02 July 2006 - 03:40 PM

No response from this member since: 7:50am Sun Jun 25 2006 Topic is closed Thanks...pskelley




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users