how-to block ads
|
djcfp
join:2001-02-04
Atascadero, CA
| reply to TheJoker
Re: HJT Log - Winfixer 2005 will not stay away
Okay, I followed the steps in your last reply and here are the results of the scans:
Activescan:
Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-134457-263.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:03:41 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX
E
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
O2 - BHO: MSEvents Object -
{52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4]
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp]
C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC]
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX
E
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program
Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program
Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7}
(Microsoft ProgressBar Control, version 5.0 (SP2)) -
»bin.mcafee.com/molbin/Shared/Com···,22/ComC
tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
»download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
»a1540.g.akamai.net/7/1540/52/200···nfo.appl
e.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
»download.mcafee.com/molbin/share···0,0,99/m
cinsctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7}
(CFM_AXFTP_MOD.UserControl1) -
»www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
»update.microsoft.com/windowsupda···ls/en/x8
6/client/wuweb_site.cab?1120431258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC}
(CFM2004noruna.UserControl1) -
»www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2}
(CFM2004Turbo.UserControl1) -
»www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583}
(CFM2005TurboDMCrs.UserControl1) -
»www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
»www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F}
(CFM2005TurboDMC.UserControl1) -
»www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
»download.mcafee.com/molbin/share···0,0,26/m
cgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
(Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}
(Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}
(PhotosCtrl Class) -
»photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3}
(CFM_AXFTP_MOD.UserControl1) -
»www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D}
(CFM2004a.UserControl1) -
»www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E}
(MASHControl Class) -
»www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8
E26-0BAB4D056B63}: NameServer =
64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax -
C:\WINDOWS\system32\ddcax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program
Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. -
C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner -
C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.
- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner
- C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) -
McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) -
McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager
(mcupdmgr.exe) - McAfee, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) -
Webroot Software, Inc. - C:\Program Files\Webroot\Spy
Sweeper\WRSSSDK.exe
Vundofix:
Could not delete file.
Files Deleted sucessfully. | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to djcfp
Lets try one more time. If it doesn’t work, we'll try another method. Now that there is only one set of entries for Vundo, it may work better.
Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in Safe mode, Using Windows Explorer, locate and delete the following Files:
C:\HJT\backups\backup-20050922-091542-924.dll
C:\WINDOWS\dhdomp1.bin
[*]Open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\ddcax.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\xacdd.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
Proud ASAP member since 2005 | |
|
