Author Topic: Virus issues, Downloader, Trojan.Vundo, Trojan Horse (Read 31898 times)

queenbunnywitch · « **Reply #30 on:** September 29, 2007, 10:13:37 AM »

okay heres the log from that FindAWF program. ill post the hijackthis in a sec.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 09/29/2007
The current time is: 11:06:15.51

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 07:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK

09/28/2007 11:00 PM 0 banned.ini
09/28/2007 11:00 PM 0 expopups.ini
08/27/2001 03:54 PM 95,232 PopUpKiller.EXE
09/28/2007 07:33 AM 0 popups.ini
4 File(s) 95,232 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 05:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2002 10:29 AM 40,960 ezSP_Px.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/05/2003 12:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\MARKANY\CONTEN~1\BAK

01/30/2007 08:36 PM 57,344 MAAgent.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\SAMSUNG\SAMSUN~1\BAK

02/23/2007 04:32 PM 126,976 SMSTray.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

05/08/2006 05:17 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/09/2007 04:14 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of E:\PROGRA~2\YAHOO!\MESSEN~1\BAK

06/07/2007 02:08 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 31 2007 "C:\Program Files\NavNT\vptray.exe"
73728 Sep 24 2001 "C:\Program Files\NavNT\bak\vptray.exe"
73728 Sep 24 2001 "E:\Program Files\NavNT\vptray.exe"
441 Aug 31 2007 "C:\Program Files\PopUp Killer\banned.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\banned.ini"
441 Mar 3 2007 "E:\Program Files\PopUp Killer\banned.ini"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\expopups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\expopups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\expopups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\popups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\popups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\popups.ini"
24080 Aug 31 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
40960 Aug 20 2002 "E:\WINDOWS\system32\ezSP_Px.exe"
24080 Aug 31 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jun 5 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
335872 Jun 5 2003 "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
24080 Aug 31 2007 "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
57344 Jan 30 2007 "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe"
24080 Aug 31 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
126976 Feb 23 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe"
24080 Aug 31 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 May 8 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
24080 Aug 31 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Mar 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Jun 5 2006 "E:\Program Files\Common Files\Real\Update_OB\realsched.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
4670704 Aug 27 2007 "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 7 2007 "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"

end of report

queenbunnywitch · « **Reply #31 on:** September 29, 2007, 10:18:13 AM »

okay and heres the HJT thing.

µTorrent
Ad-aware 6 Personal
Adobe Flash Player ActiveX
Adobe Reader 6.0
AIM 6
Apple Software Update
ATI Control Panel
ATI Display Driver
BUFFALO Client Manager 3
CCleaner (remove only)
CDBurnerXP Pro
CEP - Color Enable Package
Cucusoft DVD to iPod/PSP + iPod/PSP Video Converter Suite 2.8.3
Cucusoft DVD to Zune + Zune Video Converter Suite 5.16.5.3
Data Lifeguard Tools
DataCastComponent
DivX Content Uploader
DivX Web Player
EVEREST Home Edition v2.20
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Java 2 Runtime Environment, SE v1.4.1_03
Java Web Start
Java(TM) 6 Update 2
Kazaa Media Desktop 2.5.1
Lame ACM MP3 Codec
LiveUpdate 1.6 (Symantec Corporation)
Logitech MouseWare 9.79
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Norton AntiVirus Corporate Edition
NVIDIA Drivers
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
PDF Manual NW-E000 Series
QuickTime
Q-Xpress Installer 1.1.9
RealPlayer
Samsung Media Studio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Shockwave
Sims2Pack Clean Installer
Sony PSP Media Manager 1.0a
Spybot - Search & Destroy 1.4
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 Seasons
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Veoh Player
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Search Protection
Zune

(and on a slightly off topic note, when those viruses were giving me problems my Sims 2 ran horribly! now it runs as smooth as it did before. so thanks so much for helping me cuz...man...id go crazy without my sims.)

CBMatt · « **Reply #32 on:** September 30, 2007, 10:17:09 AM »

I'm glad things are running a bit better for you now. But there's still just a bit more cleanup we need to do. First, you should remove the following...

Java 2 Runtime Environment, SE v1.4.1_03

You have a newer version of Java, so this one isn't necessary. All it's doing is taking up space. Now, go ahead and open up FindAWF.
When presented with the different options, choose #2.
A text file will open up. Copy/paste the following bold text into that file...

C:\Program Files\NavNT\bak\vptray.exe
C:\Program Files\PopUp Killer\bak\banned.ini
C:\Program Files\PopUp Killer\bak\expopups.ini
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\Program Files\PopUp Killer\bak\popups.ini
C:\Program Files\Zune\bak\ZuneLauncher.exe
C:\WINDOWS\system32\bak\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe
C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe
C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
E:\Program Files\QuickTime\bak\qttask.exe
E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in Notepad. Please post the results of the awf.txt here along with a new HijackThis log.

queenbunnywitch · « **Reply #33 on:** October 01, 2007, 10:39:03 PM »

okay stupid question but how do i delete that version of java?

oddjob · « **Reply #34 on:** October 02, 2007, 04:02:31 AM »

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java that you find. Version 6, update 2, is the only one you should keep at the moment.

OJ

queenbunnywitch · « **Reply #35 on:** October 03, 2007, 01:00:42 AM »

thanks oddjob

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/03/2007
The current time is: 1:54:08.62

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 07:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK

10/02/2007 04:21 PM 0 banned.ini
10/02/2007 04:21 PM 0 expopups.ini
10/02/2007 03:07 PM 28,176 PopUpKiller.EXE
09/28/2007 07:33 AM 0 popups.ini
4 File(s) 28,176 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 05:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2002 10:29 AM 40,960 ezSP_Px.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/05/2003 12:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

09/04/2007 10:58 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\MARKANY\CONTEN~1\BAK

01/30/2007 08:36 PM 57,344 MAAgent.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK\BAK

08/27/2001 03:54 PM 95,232 PopUpKiller.EXE
1 File(s) 95,232 bytes

Directory of C:\PROGRA~1\SAMSUNG\SAMSUN~1\BAK

02/23/2007 04:32 PM 126,976 SMSTray.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

05/08/2006 05:17 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/09/2007 04:14 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK

10/02/2007 03:07 PM 28,176 qttask.exe
1 File(s) 28,176 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of E:\PROGRA~2\YAHOO!\MESSEN~1\BAK

06/07/2007 02:08 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28176 Oct 2 2007 "C:\Program Files\NavNT\vptray.exe"
73728 Sep 24 2001 "C:\Program Files\NavNT\bak\vptray.exe"
73728 Sep 24 2001 "E:\Program Files\NavNT\vptray.exe"
441 Aug 31 2007 "C:\Program Files\PopUp Killer\banned.ini"
0 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\banned.ini"
441 Mar 3 2007 "E:\Program Files\PopUp Killer\banned.ini"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\expopups.ini"
0 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\expopups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\expopups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\popups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\popups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\popups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
28176 Oct 2 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
40960 Aug 20 2002 "E:\WINDOWS\system32\ezSP_Px.exe"
28176 Oct 2 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jun 5 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
335872 Jun 5 2003 "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
52272 Apr 7 2007 "C:\Program Files\Google\googletoolbar1user.exe"
4562944 Apr 28 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
28176 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1145896 Mar 9 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Apr 7 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Sep 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
4856576 Jun 21 2006 "E:\Documents and Settings\starrs crap\My Documents\GoogleVideoPlayerSetup_2006_04_28-14-09_pcg.exe"
4562944 Apr 28 2006 "E:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
559784 Jun 5 2006 "E:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
28176 Oct 2 2007 "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
57344 Jan 30 2007 "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
28176 Oct 2 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
126976 Feb 23 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe"
28176 Oct 2 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 May 8 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
28176 Oct 2 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Mar 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Jun 5 2006 "E:\Program Files\Common Files\Real\Update_OB\realsched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 7 2007 "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"

end of report

queenbunnywitch · « **Reply #36 on:** October 03, 2007, 01:02:20 AM »

and the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:01:24 AM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

CBMatt · « **Reply #37 on:** October 05, 2007, 10:11:32 AM »

Hi, queen, sorry for the delay. As I'm sure you've noticed, things can get a little busy over here. Please download SUPERAntiSpyware (you'll need this later). The fix appears to have not worked, so I would like you to reboot into Safe Mode and try my FindAWF instructions again (copying the filepaths into the Notepad file). Once again, a logfile will open.

Because we get busy at times, I'm going to try giving you a Plan B in case the above doesn't work. When you are given the logfile, check the Duplicate files of bak directory contents section at the bottom. If it still lists all of those files, then try the following...

Open up Notepad (do this part before going into Safe Mode) and copy/paste everything in the below quote box...

Quote

@echo off
for %%g in (
"C:\Program Files\NavNT\vptray.exe"
"C:\Program Files\PopUp Killer\banned.ini"
"C:\Program Files\PopUp Killer\expopups.ini"
"C:\Program Files\PopUp Killer\PopUpKiller.exe"
"C:\Program Files\PopUp Killer\popups.ini"
"C:\Program Files\Zune\ZuneLauncher.exe"
"C:\WINDOWS\system32\ezSP_Px.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
"C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
"C:\Program Files\Sony\SonicStage\SsAAD.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"E:\Program Files\QuickTime\qttask.exe"
"E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
) do (
if exist %%g attrib -s -h -r %%g
del /s/f/q %%g
)>nul 2>&1

copy /y "C:\Program Files\NavNT\bak\vptray.exe" "C:\Program Files\NavNT\vptray.exe"
copy /y "C:\Program Files\PopUp Killer\bak\banned.ini" "C:\Program Files\PopUp Killer\banned.ini"
copy /y "C:\Program Files\PopUp Killer\bak\expopups.ini" "C:\Program Files\PopUp Killer\expopups.ini"
copy /y "C:\Program Files\PopUp Killer\bak\PopUpKiller.exe" "C:\Program Files\PopUp Killer\PopUpKiller.exe"
copy /y "C:\Program Files\PopUp Killer\bak\popups.ini" "C:\Program Files\PopUp Killer\popups.ini"
copy /y "C:\Program Files\Zune\bak\ZuneLauncher.exe" "C:\Program Files\Zune\ZuneLauncher.exe"
copy /y "C:\WINDOWS\system32\bak\ezSP_Px.exe" "C:\WINDOWS\system32\ezSP_Px.exe"
copy /y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
copy /y "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe" "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
copy /y "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe" "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
copy /y "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe" "C:\Program Files\Sony\SonicStage\SsAAD.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "E:\Program Files\QuickTime\bak\qttask.exe" "E:\Program Files\QuickTime\qttask.exe"
copy /y "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe" "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"

exit

Go to File > Save As and next to Save as type, choose All Files and save the file as restoreawf.bat. Run the file in Safe Mode and then scan with SUPERAntiSpyware and let it clean whatever it wants. Run FindAWF one more time and save the log, then restart your computer and post the results here along with a new HijackThis log.

queenbunnywitch · « **Reply #38 on:** October 06, 2007, 09:05:50 PM »

thats okay, youre still helping me so thats all i need!

okay now..before i do this let me make sure i get it first, i dont wanna mess anything up. okay. so i download SUPERAntiSpyware. then i just follow your first FindAWF instructions and if it doesnt work then i go to plan B. SO i run AWF again and check Duplicate files of back directory contents and check if those files are still there..then open notepad in regular mode and save that list you quoted in a notepad file and "save as" restoreawf.bat. Then run WFA in safe mode and then scan with SUPERAntiSpyware. Run AWF again and post the log after i restart?

CBMatt · « **Reply #39 on:** October 08, 2007, 01:47:17 AM »

Yup, sounds like you've got the right idea to me!

CBMatt · « **Reply #40 on:** November 06, 2007, 05:45:01 AM »

Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Computer Hope Forum

News:

Author Topic: Virus issues, Downloader, Trojan.Vundo, Trojan Horse (Read 31898 times)

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

CBMatt

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

oddjob

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

CBMatt

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

queenbunnywitch

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

CBMatt

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse

CBMatt

Re: Virus issues, Downloader, Trojan.Vundo, Trojan Horse