i uninstalled all of the files. i still cant view webpages. the AVG software installs, but it wont run. vundofix did not detect any infected files.
Printable View
i uninstalled all of the files. i still cant view webpages. the AVG software installs, but it wont run. vundofix did not detect any infected files.
what does Step #5 tell you to do ??
these are the only 2 of the things you told me to post. there is no vundo.txt and the AVG software does not run. also the combofix, i really dont think this is what your looking for. but here it is, combofix.txt
"Gilbert" - 07-04-23 22:25:26 Service Pack 2
ComboFix 07-04-24.2V - Running from: "E:\Documents and Settings\Gilbert\Desktop\"
thats all it says. here is the new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:54, on 07-04-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\savedump.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\WINDOWS\system32\spoolsv.exe
E:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1898BA93-760C-71FE-7561-7DB2181B84B9} - E:\WINDOWS\system32\zubipwqq.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - E:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - E:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {97216354-41F5-4AC9-860D-E1EC7D9DAD7B} - E:\Program Files\Windows NT\nipybaj.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ms054841610871] E:\WINDOWS\ms054841610871.exe
O4 - HKLM\..\Run: [ms041484161087] E:\WINDOWS\ms041484161087.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Elus] "E:\PROGRA~1\COMMON~1\SCURIT~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 802.11g USB adapter.lnk = E:\Program Files\11g USB adapter\Wifiusb.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: __c0067857 - E:\WINDOWS\system32\__c0067857.dat
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - E:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
i just found the vundo text.
VundoFix V6.3.20
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 21:04:57 07-04-24
Listing files found while scanning....
No infected files were found.
I still nead to see few logs:
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, DSS will open two Notepads: main.txt and extra.txt
- Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Both txt files will be found here : C:\Deckard\System Scanner
im having the same problem with DSS as i had with AVG. i get an error message saying that it failed to initialize properly
Are you sure you can not Post Combofix.txt ?
it's located right on your C:\ Drive
the size of it should be more than 11kb.
Thanks
combofix doesnt work. it only works half way...it goes to reboot my computer, and then when it comes back on, it cant complete, and the program shuts down. hence, no combofix.txt
Before we start to do anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with DrWeb-CureIt as follows:
- Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
- Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan tab" and UNcheck "Heuristic analysis"
- Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
- Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
- When done, a message will be displayed at the bottom advising if any viruses were found.
- Click "Yes to all" if it asks if you want to cure/move the file.
- When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)- Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
some of these came from my other hard drive....NOTE: i can NOT view web pages via any browser. i HAVE a connection, and i can go on aol and check mail and instant message, but i cannot view websites.
ms041484161087.exe;e:\windows;BackDoor.Generic.1372;Deleted.;
ms054841610871.exe;e:\windows;BackDoor.Generic.1372;Deleted.;
__c0067857.dat;e:\windows\system32;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;
ip6fw.sys;e:\windows\system32\drivers;BackDoor.Bulknet;Deleted.;
windev-5e0b-3dee.sys;e:\windows\system32;BackDoor.Groan;Deleted.;
1.exe;C:\;Trojan.DownLoader.21527;Deleted.;
cp1041.nls;C:\;Trojan.Spambot;Deleted.;
sstray.exe;C:\;Trojan.PWS.LDPinch.1607;Deleted.;
svhost.exe;C:\;Trojan.DownLoader.14427;Deleted.;
A0013304.exe;C:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;Trojan.DownLoader.21527;Deleted.;
A0013305.exe;C:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;Trojan.PWS.LDPinch.1607;Deleted.;
A0013306.exe;C:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;Trojan.DownLoader.14427;Deleted.;
137.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.91;Deleted.;
18.tmp;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Spambot;Deleted.;
2.dllb;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.103;Deleted.;
2B.tmp;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.DownLoader.21530;Deleted.;
6.dllb;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.103;Deleted.;
7.dllb;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.103;Deleted.;
88.tmp;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Spambot;Deleted.;
8E.tmp;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Spambot;Deleted.;
temp.fr2DA1;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Juan;Deleted.;
tmp10.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Virtumod;Deleted.;
tmp12.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.49;Deleted.;
tmp1B.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.DownLoader.19433;Deleted.;
tmp2B.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.DownLoader.19433;Deleted.;
tmp2E.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.49;Deleted.;
tmp5B.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.DownLoader.19433;Deleted.;
tmp76.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;BackDoor.Iterator;Deleted.;
tmpB3.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.49;Deleted.;
tmpBE.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.49;Deleted.;
tmpD.tmp.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.Packed.49;Deleted.;
tullbar.exe;E:\Documents and Settings\Gilbert\Local Settings\Temp;Trojan.DownLoader.21526;Deleted.;
137.exe;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.91;Deleted.;
15.exe;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Spambot;Deleted.;
2.dllb;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
6.dllb;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
7.dllb;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
89.tmp;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Spambot;Deleted.;
8C.tmp;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Spambot;Deleted.;
qv3xt3.game;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.MulDrop.5845;Deleted.;
stdrun10.exe;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
stdrun12.exe\data001;E:\Documents and Settings\LocalService\Local Settings\Temp\stdrun12.exe;Trojan.Spambot;;
stdrun12.exe\data002;E:\Documents and Settings\LocalService\Local Settings\Temp\stdrun12.exe;Trojan.Packed.91;;
stdrun12.exe;E:\Documents and Settings\LocalService\Local Settings\Temp;Archive contains infected objects;Moved.;
v4x3.ga2me;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.DownLoader.21526;Deleted.;
v6xt4.game;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.38;Deleted.;
vx3t2.game;E:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
winig[2].exe;E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\A31JZ3AW;Trojan.Spambot;Deleted.;
ztool4[1];E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AAKGKPIC;Trojan.Packed.38;Deleted.;
cent[1].exe;E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YRBIIOCD;Trojan.Packed.104;Deleted.;
zgame1[2];E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YRBIIOCD;BackDoor.Uragan;Deleted.;
137.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Packed.91;Deleted.;
15.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Spambot;Deleted.;
8B.tmp;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Spambot;Deleted.;
8D.tmp;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Spambot;Deleted.;
qv3xt3.game;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.MulDrop.5845;Deleted.;
stdrun20.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
stdrun21.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
stdrun24.exe\data001;E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun24.exe;Trojan.Spambot;;
stdrun24.exe\data002;E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun24.exe;Trojan.Packed.91;;
stdrun24.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Archive contains infected objects;Moved.;
stdrun25.exe\data001;E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun25.exe;Trojan.Spambot;;
stdrun25.exe\data002;E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun25.exe;Trojan.Packed.91;;
stdrun25.exe;E:\Documents and Settings\NetworkService\Local Settings\Temp;Archive contains infected objects;Moved.;
v4x3.ga2me;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.DownLoader.21526;Deleted.;
v6xt4.game;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Packed.38;Deleted.;
vx3t2.game;E:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Packed.103;Deleted.;
winig[2].exe;E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DQNGT6J;Trojan.Spambot;Deleted.;
ztool4[2];E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\MGUJPLI3;Trojan.Packed.38;Deleted.;
loader[1].exe;E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\SP63G1QR;Trojan.MulDrop.5845;Deleted.;
zgame1[4];E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\W52BO9UR;BackDoor.Uragan;Deleted.;
winig[1].exe;E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8P2VW5ER;Trojan.Spambot;Deleted.;
ztool4[1];E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8P2VW5ER;Trojan.Packed.38;Deleted.;
zgame1[2];E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QG54QH3K;BackDoor.Uragan;Deleted.;
GTDownAO_106.ocx;E:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
ipwins.dll.vir;E:\QooBox\Quarantine\E\Program Files\Ipwindows;Trojan.Rond;Deleted.;
ipwins.exe.vir;E:\QooBox\Quarantine\E\Program Files\Ipwindows;Trojan.Rond;Deleted.;
UnInstall.exe.vir;E:\QooBox\Quarantine\E\Program Files\Ipwindows;Trojan.Rond;Deleted.;
1.exe.vir;E:\QooBox\Quarantine\E\WINDOWS;Trojan.DownLoader.21527;Deleted.;
cfg32a.exe.vir\data001;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir;Adware.BookedSpace;;
cfg32a.exe.vir\data002;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir;Adware.BookedSpace;;
data003\data001;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir\data003;Adware.BookedSpace;;
data003\data002;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir\data003;Adware.BookedSpace;;
data003\data003;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir\data003;Adware.BookedSpace;;
data003;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir;Archive contains infected objects;;
cfg32a.exe.vir\data004;E:\QooBox\Quarantine\E\WINDOWS\cfg32a.exe.vir;Adware.BookedSpace;;
cfg32a.exe.vir;E:\QooBox\Quarantine\E\WINDOWS;Archive contains infected objects;Moved.;
SVCHOST.EXE.vir;E:\QooBox\Quarantine\E\WINDOWS;Trojan.PWS.LDPinch.1607;Deleted.;
updater.exe.vir;E:\QooBox\Quarantine\E\WINDOWS;Trojan.DownLoader.20279;Deleted.;
cent.exe.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.103;Deleted.;
ddabb.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
dlh9jkd1q6.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.103;Deleted.;
dlh9jkd1q7.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.103;Deleted.;
gaqhrsxs.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
iifdbcb.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ksys.sys.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Netpas;Deleted.;
nbtkmxmmx.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Vqten;Deleted.;
pdp.exe.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.103;Deleted.;
pgoem.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Vqten;Deleted.;
qqbgiuid.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
qvxga6met3.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.MulDrop.5845;Deleted.;
rpcc.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Spambot;Deleted.;
spoolsvv.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.91;Deleted.;
thqwamausyw.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Vqten;Deleted.;
tmpD.tmp.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Juan;Deleted.;
uvnx.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.DownLoader.21530;Deleted.;
vexg4am1et2.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.103;Deleted.;
vexga5me3.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.DownLoader.21526;Deleted.;
xhmawpft.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ndis.sys.vir;E:\QooBox\Quarantine\E\WINDOWS\system32\drivers;Trojan.Spambot;Deleted.;
A0001006.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0001023.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Netpas;Deleted.;
A0002007.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0002017.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Netpas;Deleted.;
A0002038.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0003037.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0004039.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0004046.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Netpas;Deleted.;
A0004051.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Groan;Deleted.;
A0005035.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0006035.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0007035.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;BackDoor.Bulknet;Deleted.;
A0007177.exe\data001;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe;Adware.BookedSpace;;
A0007177.exe\data002;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe;Adware.BookedSpace;;
data003\data001;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe\data003;Adware.BookedSpace;;
data003\data002;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe\data003;Adware.BookedSpace;;
data003\data003;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe\data003;Adware.BookedSpace;;
data003;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe;Archive contains infected objects;;
A0007177.exe\data004;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1\A0007177.exe;Adware.BookedSpace;;
A0007177.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Archive contains infected objects;Moved.;
A0007180.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.103;Deleted.;
A0007181.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.103;Deleted.;
A0007183.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.MulDrop.5845;Deleted.;
A0007184.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.103;Deleted.;
A0007186.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.DownLoader.21526;Deleted.;
A0007187.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.DownLoader.21527;Deleted.;
A0007189.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.103;Deleted.;
A0007190.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.103;Deleted.;
A0007193.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.DownLoader.20279;Deleted.;
A0007195.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Juan;Deleted.;
A0007196.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Rond;Deleted.;
A0007197.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Rond;Deleted.;
A0007198.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Rond;Deleted.;
A0007200.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Netpas;Deleted.;
A0007202.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Spambot;Deleted.;
A0007203.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Packed.91;Deleted.;
A0007204.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.DownLoader.21530;Deleted.;
A0007208.EXE;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.PWS.LDPinch.1607;Deleted.;
A0007211.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Vqten;Deleted.;
A0007212.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Vqten;Deleted.;
A0007213.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Vqten;Deleted.;
A0007214.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Virtumod;Deleted.;
A0007215.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Virtumod;Deleted.;
A0007216.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Virtumod;Deleted.;
A0007222.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Spambot;Deleted.;
A0007296.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Virtumod;Deleted.;
A0007297.dll;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP1;Trojan.Virtumod;Deleted.;
A0008393.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP2;Trojan.Packed.103;Deleted.;
A0008395.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP2;Trojan.Packed.103;Deleted.;
A0013300.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;BackDoor.Generic.1372;Deleted.;
A0013301.exe;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;BackDoor.Generic.1372;Deleted.;
A0013302.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;BackDoor.Bulknet;Deleted.;
A0013303.sys;E:\System Volume Information\_restore{26F6AD87-280B-43EB-A6B9-0FF6518CA09A}\RP3;BackDoor.Groan;Deleted.;
cent.exe;E:\WINDOWS\system32;Trojan.Packed.104;Deleted.;
lsasss.exe;E:\WINDOWS\system32;Trojan.DownLoader.19701;Deleted.;
mljjk.exe;E:\WINDOWS\system32;Trojan.Packed.49;Deleted.;
ws2_32.dll:fork2;E:\WINDOWS\system32;Trojan.MulDrop.5876;Deleted.;
lsasss.exe;E:\WINDOWS\system32\bak;Trojan.DownLoader.19701;Deleted.;
f1.exe;E:\WINDOWS\system32\micro1;Adware.NewDotNet;Incurable.Moved.;
137.exe;E:\WINDOWS\Temp;Trojan.Packed.91;Deleted.;
2.dllb;E:\WINDOWS\Temp;Trojan.Packed.103;Deleted.;
5.dllb;E:\WINDOWS\Temp;Trojan.Packed.64;Deleted.;
6.dllb;E:\WINDOWS\Temp;Trojan.Packed.103;Deleted.;
7.dllb;E:\WINDOWS\Temp;Trojan.Packed.103;Deleted.;
8A.tmp;E:\WINDOWS\Temp;Trojan.Spambot;Deleted.;
qv3xt3.game;E:\WINDOWS\Temp;Trojan.MulDrop.5845;Deleted.;
stdrun10.exe;E:\WINDOWS\Temp;Trojan.Packed.103;Deleted.;
stdrun11.exe\data001;E:\WINDOWS\Temp\stdrun11.exe;Trojan.Spambot;;
stdrun11.exe\data002;E:\WINDOWS\Temp\stdrun11.exe;Trojan.Packed.91;;
stdrun11.exe;E:\WINDOWS\Temp;Archive contains infected objects;Moved.;
v4x3.ga2me;E:\WINDOWS\Temp;Trojan.DownLoader.21526;Deleted.;
v5x2.g3ame;E:\WINDOWS\Temp;Trojan.DownLoader.20822;Deleted.;
v5x4.ga2me;E:\WINDOWS\Temp;Trojan.DownLoader.14813;Deleted.;
v6xt4.game;E:\WINDOWS\Temp;Trojan.Packed.38;Deleted.;
vx3t2.game;E:\WINDOWS\Temp;Trojan.Packed.103;Deleted.;
Very good, there are few things we still have to do.
Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! I Suggest you print these Instructions out.
Step #1
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Step #2
Please download VundoFix.exe to your desktop
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Step #3
Download FindAWF.exe to download and save it to your desktop.
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
- It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
Step #4
Download GMER Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Step #5
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
- Close all other windows before proceeding.
- Please run Deckard's System Scanner again, this time using these instructions: (provided dss.exe is on your desktop)
- Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
Click Scan!Quote:
"%userprofile%\desktop\dss.exe" /config
When finished, it shall produce 2 different logfiles for you, please post them in your next reply.
Step #5
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
Step #6
- Open HijackThis
- Click Config
- Click Misc Tools
- Click "Open Uninstall Manager"
- Click "Save List" (generates uninstall_list.txt)
- Click Save, copy and paste the results in your next post.
Step #7
In your next reply,please post the following logfiles:
- Vundofix.txt
- Gmer Report
- SDFix Report
- Uninstall List
- Main.txt
- Extra.txt
- AWF.txt
Let me know if things are running better now.
Hello there.
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Step #1
Do you Recognize these files?
If Not, Remove them.Quote:
F:\SETUP.EXE
G:\Setup.exe
J:\RunGame.exe
K:\RunGame.exe
L:\RunGame.exe
M:\RunGame.exe
N:\RunGame.exe
O:\RunGame.exe
Step #2
Please go Here to see how to show hidden files in windows.
Now, Using Windows Explorer (to get there right-click your Start button and go to "Search"), please Search this file and delete (if present):
Step #3Quote:
RavMon.exe
Go to Virustotal
Copy the following to the box next to "Browse" button:
- C:\WINDOWS\system32\__c00253A6.dat
Click on Send, Wait for the scan to end.
Go to Virustotal
Copy the following to the box next to "Browse" button:
- C:\WINDOWS\System32\__c00C1F23.dat
Click on Send, Wait for the scan to end.
Go to Virustotal
Copy the following to the box next to "Browse" button:
- C:\WINDOWS\system32\__c00FF92D.dat
Click on Send, Wait for the scan to end.
Step #4
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Next, Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop
double click on fixthis.bat.Quote:
@echo off
attrib -s -r -h "E:\WINDOWS\system32\wnscpisv.exe"
del /q "E:\WINDOWS\system32\wnscpisv.exe"
attrib -s -r -h "E:\WINDOWS\system32\icmp32.exe"
del /q "E:\WINDOWS\system32\icmp32.exe"
attrib -s -r -h "E:\WINDOWS\system32\zubipwqq.dll"
del /q "E:\WINDOWS\system32\zubipwqq.dll"
attrib -s -r -h "E:\WINDOWS\system32\vtsqoll.dll"
del /q "E:\WINDOWS\system32\vtsqoll.dll"
attrib -s -r -h "E:\Windows\cfg32r.dll"
del /q "E:\WINDOWS\cfg32r.dll"
attrib -r -h C:\WINDOWS\system32\micro1\*.*
del /a /f /q C:\WINDOWS\system32\micro1\*.*
RD /s /q "C:\WINDOWS\system32\micro1"
attrib -r -h C:\WINDOWS\system32\kr_done1\*.*
del /a /f /q C:\WINDOWS\system32\kr_done1i\*.*
RD /s /q "C:\WINDOWS\system32\kr_done1"
attrib -r -h E:\PROGRAM FILES1\Ofb11\*.*
del /a /f /q :\PROGRAM FILES1\Ofb11\*.*
RD /s /q ":\PROGRAM FILES1\Ofb11"
attrib -r -h C:\WINDOWS\system32\Windows NT\*.*
del /a /f /q C:\WINDOWS\system32\Windows NT\*.*
RD /s /q "C:\WINDOWS\system32\Windows NT"
quit
A window will open and close this is normal.
Step #5
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
O2 - BHO: (no name) - {1898BA93-760C-71FE-7561-7DB2181B84B9} - E:\WINDOWS\system32\zubipwqq.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - E:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - E:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: __c0067857 - E:\WINDOWS\system32\__c0067857.dat (file missing)
Step #6
Download ATF-Cleaner by Atribune to your desktop.
Do not run it yet.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Step #7
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report and a fresh Main.txt Logfile.
Let me know how things are running now.