Hello Folks, thanks for looking at my problems!
I followed the
Malware Removal Steps guide step by step and want to follow up with my 3 logs and a description of the problem.
Basically today I was surfing, had not gone to any odd sites recently and no odd downloads, and had AVG Free (fully updated) and TeaTimer running. TeaTimer started freaking out with some virus obviously trying to change my registry again and again. AVG then picked up on what was going on and asked me if I wanted to fix the infected files, but when I did that, then it said more files were being infected (I assume they were files being infected, although I really don't know how it works). I turned off the computer, disconnected it from the internet, and found your website on my other computer. I have not plugged it back into the web since but also haven't had the same problem as before except for 2 random notifications by AVG that something was wrong.
Thanks for reading. I figure its better to be more detailed than less.
Also, I have Windows XP Home Edition w/ SP3.
Thank you for your time. Its greatly appreciated!
Here are my 3 scans:
========================================================
MBAM LOG
Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3
4/20/2009 8:14:00 PM
mbam-log-2009-04-20 (20-14-00).txt
Scan type: Quick Scan
Objects scanned: 80154
Time elapsed: 4 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96a4be9d-de5f-413f-86ae-02a621d6d99f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{96a4be9d-de5f-413f-86ae-02a621d6d99f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sai.instantiator (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sai.instantiator.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nitujuyuki (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
=============================================
SUPER ANTI SPY
SUPERAntiSpyware Scan Log
http://www.superantispyware.comGenerated 04/20/2009 at 07:37 PM
Application Version : 4.26.1000
Core Rules Database Version : 3853
Trace Rules Database Version: 1805
Scan type : Complete Scan
Total Scan Time : 02:11:24
Memory items scanned : 372
Memory threats detected : 2
Registry items scanned : 5529
Registry threats detected : 6
File items scanned : 99200
File threats detected : 7
Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\LARAGUJI.DLL
C:\WINDOWS\SYSTEM32\LARAGUJI.DLL
C:\WINDOWS\SYSTEM32\NOKANOZA.DLL
C:\WINDOWS\SYSTEM32\NOKANOZA.DLL
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
Rogue.Component/Trace
HKU\S-1-5-21-2696987157-2951269213-3466700681-1007\Software\Microsoft\FIAS4057
Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPSAIDETECT.DLL
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPSAIX.DLL
Adware.Vundo/Variant
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090420-143502-882.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP937\A0158237.DLL
Adware.SeekSuggest
C:\WINDOWS\JESTERTB.DLL
==============================
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:38 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [nitujuyuki] Rundll32.exe "C:\WINDOWS\system32\nokanoza.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nitujuyuki] Rundll32.exe "C:\WINDOWS\system32\nokanoza.dll",s (User 'NETWORK SERVICE')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\laraguji.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 3327 bytes
