W32/downloader.10

Customer

• July 27, 1179 21:00

My virus scanner (PC Guard) keeps saying that i'm infected even once i delete those files. Its wierd cos every few minutes, a new file appears in my temp folder but its not a tmp file. also, other infected tmp files keep apeparing but they're identified right away and dealt with. inames are liek "win57". The extension for some are .tmp.exe instead of .tmp Sometimes, the files still can't be deleted. Used Adaware, didn't pick up on anything. Anyway, here's the log and thank you for helping:

Logfile of HijackThis v1.99.1

Scan saved at 17:34:20, on 13/05/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

F:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINNT\system32\svchost.exe

F:\Sophos Anti-Virus\SavService.exe

C:\WINNT\system32\spoolsv.exe

F:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

F:\Sophos Anti-Virus\SAVAdminService.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\tcpsvcs.exe

F:\AutoUpdate\ALsvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

F:\program files\iTunesHelper.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

E:\iPod\bin\iPodService.exe

F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\ctfmon.exe

F:\Program Files\WallpaperSS\WallpaperSS.exe

F:\AutoUpdate\ALMon.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

F:\program files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - F:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - F:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINNT\system32\gebxyxv.dll

O4 - HKLM\..\Run: [iTunesHelper] "F:\program files\iTunesHelper.exe"

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [NoteBurner] F:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [WallpaperSS] F:\Program Files\WallpaperSS\WallpaperSS.exe

O4 - HKCU\..\Run: [Eraser] f:\Program Files\Eraser\eraser.exe -hide

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoUpdate Monitor.lnk = F:\AutoUpdate\ALMon.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll

O20 - Winlogon Notify: gebxyxv - C:\WINNT\SYSTEM32\gebxyxv.dll

O20 - Winlogon Notify: wingrl32 - C:\WINNT\SYSTEM32\wingrl32.dll

O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll

O23 - Service: Wireless Adapter Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - F:\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - F:\Sophos Anti-Virus\SavService.exe

O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BLUEYO~1\SMARTB~1\SBHookSvc.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - F:\AutoUpdate\ALsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

0

• 

  Customer

  • June 10, 2021 12:51

  
  

  Please download VundoFix.exe

  to your desktop.

  
  
  • Double-click VundoFix.exe to run it.
    
    
  
  
  • Click the Scan for Vundo button.
    
    
  
  
  • Once it's done scanning, click the Remove Vundo button.
    
    
  
  
  • You will receive a prompt asking if you want to remove the files, click YES
    
    
  
  
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
    
    
  
  
  • When completed, it will prompt that it will reboot your computer, click OK.
    
    
  
  
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    
    
  
  

  
  

  Note: It is possible that VundoFix encountered a file it could not remove.

  In this case, VundoFix will run on reboot, simply follow the above

  instructions starting from "Click the Scan for Vundo button." when

  VundoFix appears at reboot.

  0
• 

  Customer

  • June 10, 2021 12:51

  
  

  Done what u said, comp got real slow though. Hopefully thats just temporary. Anyway here:

   

   

  VundoFix V6.3.21

   

  Checking Java version...

   

  Java version is 1.5.0.6

  Old versions of java are exploitable and should be removed.

   

  Java version is 1.5.0.9

  Old versions of java are exploitable and should be removed.

   

  Scan started at 17:20:20 14/05/2007

   

  Listing files found while scanning....

   

   

  VundoFix V6.3.21

   

  Checking Java version...

   

  Java version is 1.5.0.6

  Old versions of java are exploitable and should be removed.

   

  Java version is 1.5.0.9

  Old versions of java are exploitable and should be removed.

   

  Scan started at 17:25:24 14/05/2007

   

  Listing files found while scanning....

   

  C:\WINNT\system32\cbxwv.dll

  C:\WINNT\system32\cbxyyax.dll

  C:\WINNT\system32\ddccdde.dll

  C:\WINNT\system32\gebxyxv.dll

  C:\WINNT\system32\vtuuspo.dll

  C:\WINNT\system32\vwxbc.bak1

  C:\WINNT\system32\vwxbc.ini

   

  Beginning removal...

   

  Attempting to delete C:\WINNT\system32\cbxwv.dll

  C:\WINNT\system32\cbxwv.dll Could not be deleted.

   

  Attempting to delete C:\WINNT\system32\cbxyyax.dll

  C:\WINNT\system32\cbxyyax.dll Has been deleted!

   

  Attempting to delete C:\WINNT\system32\ddccdde.dll

  C:\WINNT\system32\ddccdde.dll Has been deleted!

   

  Attempting to delete C:\WINNT\system32\gebxyxv.dll

  C:\WINNT\system32\gebxyxv.dll Has been deleted!

   

  Attempting to delete C:\WINNT\system32\vtuuspo.dll

  C:\WINNT\system32\vtuuspo.dll Has been deleted!

   

  Attempting to delete C:\WINNT\system32\vwxbc.bak1

  C:\WINNT\system32\vwxbc.bak1 Has been deleted!

   

  Attempting to delete C:\WINNT\system32\vwxbc.ini

  C:\WINNT\system32\vwxbc.ini Has been deleted!

   

  Performing Repairs to the registry.

  Done!

   

  Beginning removal...

   

  Attempting to delete C:\WINNT\system32\cbxwv.dll

  C:\WINNT\system32\cbxwv.dll Has been deleted!

   

  Performing Repairs to the registry.

  Done!

   

   

  Logfile of HijackThis v1.99.1

  Scan saved at 18:13:03, on 14/05/2007

  Platform: Windows 2000 SP4 (WinNT 5.00.2195)

  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

   

  Running processes:

  C:\WINNT\System32\smss.exe

  C:\WINNT\system32\winlogon.exe

  C:\WINNT\system32\services.exe

  C:\WINNT\system32\lsass.exe

  F:\Program Files\Virgin Broadband\PCguard\fws.exe

  C:\WINNT\system32\svchost.exe

  F:\Sophos Anti-Virus\SavService.exe

  C:\WINNT\system32\spoolsv.exe

  f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

  f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

  F:\Program Files\Executive Software\Diskeeper\DkService.exe

  C:\Program Files\Common Files\Command Software\dvpapi.exe

  C:\WINNT\system32\svchost.exe

  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

  F:\Sophos Anti-Virus\SAVAdminService.exe

  C:\WINNT\system32\MSTask.exe

  C:\WINNT\system32\tcpsvcs.exe

  F:\AutoUpdate\ALsvc.exe

  C:\WINNT\wanmpsvc.exe

  C:\WINNT\system32\svchost.exe

  C:\WINNT\Explorer.EXE

  F:\program files\iTunesHelper.exe

  C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

  F:\Program Files\Virgin Broadband\PCguard\Rps.exe

  F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

  E:\iPod\bin\iPodService.exe

  C:\Program Files\Common Files\Real\Update_OB\realsched.exe

  F:\PROGRA~1\Grisoft\AVG7\avgcc.exe

  C:\WINNT\system32\ctfmon.exe

  F:\Program Files\WallpaperSS\WallpaperSS.exe

  F:\AutoUpdate\ALMon.exe

  C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

  F:\program files\HijackThis\HijackThis.exe

   

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm

  F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

  O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll (file missing)

  O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - F:\Program Files\Virgin Broadband\PCguard\pkR.dll

  O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - F:\Program Files\Virgin Broadband\PCguard\FBHR.dll

  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINNT\system32\gebxyxv.dll (file missing)

  O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\qkspwuth.dll

  O4 - HKLM\..\Run: [iTunesHelper] "F:\program files\iTunesHelper.exe"

  O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

  O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"

  O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

  O4 - HKLM\..\Run: [NoteBurner] F:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

  O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

  O4 - HKLM\..\Run: [AVG7_CC] f:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

  O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\igbcdcpc.dll",realset

  O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

  O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

  O4 - HKCU\..\Run: [WallpaperSS] F:\Program Files\WallpaperSS\WallpaperSS.exe

  O4 - HKCU\..\Run: [Eraser] F:\Program Files\Eraser\eraser.exe -hide

  O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

  O4 - Global Startup: AutoUpdate Monitor.lnk = F:\AutoUpdate\ALMon.exe

  O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm

  O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm

  O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk

  O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

  O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

  O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll

  O20 - Winlogon Notify: wingrl32 - C:\WINNT\SYSTEM32\wingrl32.dll

  O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll

  O23 - Service: Wireless Adapter Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)

  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

  O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe

  O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

  O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

  O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

  O23 - Service: iPod Service - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe

  O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe

  O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - F:\Sophos Anti-Virus\SAVAdminService.exe

  O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

  O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - F:\Sophos Anti-Virus\SavService.exe

  O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BLUEYO~1\SMARTB~1\SBHookSvc.exe

  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe

  O23 - Service: Sophos AutoUpdate Service - Sophos Plc - F:\AutoUpdate\ALsvc.exe

  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

  0
• 

  Customer

  • June 10, 2021 12:51

  
  

  * Download OTMoveIt.exe from here and place it on your desktop:

  http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

   

  * Open OTMoveIt.exe.

  In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

   

  C:\WINNT\system32\qkspwuth.dll

  C:\WINNT\SYSTEM32\wingrl32.dll

   

  Then click the MoveIt button below.

  In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.

  When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.

  Copy and paste this log in your next reply with a new hijackthis log.

  0
• 

  Customer

  • June 10, 2021 12:51

  
  

  * Please open hijackthis and put a check next to the following:

   

  O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINNT\system32\gebxyxv.dll (file missing)

  O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\qkspwuth.dll (file missing)

  O20 - Winlogon Notify: wingrl32 - wingrl32.dll (file missing)

   

  * After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

   

  * After that, tell me how everything is working.

  0
• 

  Customer

  • June 10, 2021 12:51

  
  

  DllUnregisterServer procedure not found in C:\WINNT\system32\qkspwuth.dll

  C:\WINNT\system32\qkspwuth.dll NOT unregistered.

  C:\WINNT\system32\qkspwuth.dll moved successfully.

  LoadLibrary failed for C:\WINNT\SYSTEM32\wingrl32.dll

  C:\WINNT\SYSTEM32\wingrl32.dll NOT unregistered.

  C:\WINNT\SYSTEM32\wingrl32.dll moved successfully.

   

  Created on 05/14/2007 19:57:43

   

   

  Logfile of HijackThis v1.99.1

  Scan saved at 20:00:08, on 14/05/2007

  Platform: Windows 2000 SP4 (WinNT 5.00.2195)

  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

   

  Running processes:

  C:\WINNT\System32\smss.exe

  C:\WINNT\system32\winlogon.exe

  C:\WINNT\system32\services.exe

  C:\WINNT\system32\lsass.exe

  F:\Program Files\Virgin Broadband\PCguard\fws.exe

  C:\WINNT\system32\svchost.exe

  F:\Sophos Anti-Virus\SavService.exe

  C:\WINNT\system32\spoolsv.exe

  f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

  f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

  F:\Program Files\Executive Software\Diskeeper\DkService.exe

  C:\Program Files\Common Files\Command Software\dvpapi.exe

  C:\WINNT\system32\svchost.exe

  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

  F:\Sophos Anti-Virus\SAVAdminService.exe

  C:\WINNT\system32\MSTask.exe

  C:\WINNT\system32\tcpsvcs.exe

  F:\AutoUpdate\ALsvc.exe

  C:\WINNT\wanmpsvc.exe

  C:\WINNT\system32\svchost.exe

  C:\WINNT\Explorer.EXE

  F:\program files\iTunesHelper.exe

  C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

  F:\Program Files\Virgin Broadband\PCguard\Rps.exe

  F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

  E:\iPod\bin\iPodService.exe

  C:\Program Files\Common Files\Real\Update_OB\realsched.exe

  F:\PROGRA~1\Grisoft\AVG7\avgcc.exe

  C:\WINNT\system32\ctfmon.exe

  F:\Program Files\WallpaperSS\WallpaperSS.exe

  F:\AutoUpdate\ALMon.exe

  C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

  C:\Program Files\MSN Messenger\msnmsgr.exe

  F:\program files\Mozilla\firefox.exe

  C:\WINNT\System32\WBEM\WinMgmt.exe

  F:\program files\HijackThis\HijackThis.exe

   

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm

  F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

  O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll

  O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - F:\Program Files\Virgin Broadband\PCguard\pkR.dll

  O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - F:\Program Files\Virgin Broadband\PCguard\FBHR.dll

  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINNT\system32\gebxyxv.dll (file missing)

  O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\qkspwuth.dll (file missing)

  O4 - HKLM\..\Run: [iTunesHelper] "F:\program files\iTunesHelper.exe"

  O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

  O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"

  O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

  O4 - HKLM\..\Run: [NoteBurner] F:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

  O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

  O4 - HKLM\..\Run: [AVG7_CC] f:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

  O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

  O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

  O4 - HKCU\..\Run: [WallpaperSS] F:\Program Files\WallpaperSS\WallpaperSS.exe

  O4 - HKCU\..\Run: [Eraser] F:\Program Files\Eraser\eraser.exe -hide

  O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

  O4 - Global Startup: AutoUpdate Monitor.lnk = F:\AutoUpdate\ALMon.exe

  O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm

  O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm

  O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\PROGRA~1\MICROS~2\INetRepl.dll

  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk

  O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

  O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

  O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll

  O20 - Winlogon Notify: wingrl32 - wingrl32.dll (file missing)

  O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll

  O23 - Service: Wireless Adapter Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)

  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

  O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe

  O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

  O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

  O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

  O23 - Service: iPod Service - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe

  O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe

  O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - F:\Sophos Anti-Virus\SAVAdminService.exe

  O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

  O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - F:\Sophos Anti-Virus\SavService.exe

  O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BLUEYO~1\SMARTB~1\SBHookSvc.exe

  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe

  O23 - Service: Sophos AutoUpdate Service - Sophos Plc - F:\AutoUpdate\ALsvc.exe

  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

  0
• 

  Customer

  • June 10, 2021 12:51

  well...it seems like its gone. my anti-virus softwares aren't detecting anything now, so it looks as if its gone. The only concern is that when i restarted the computer, i had problems getting it to shut down and when rebooting, it took longer than usual. Other than that, everything seems okay.

  0
• 

  Customer

  • June 10, 2021 12:51

  
  

  * Please download ATF Cleaner by Atribune.

  This program is for XP and Windows 2000 only

  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  
  

  
  

  If you use Firefox browser

  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  

  
  

  If you use Opera browser

  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  

  
  

  Click Exit on the Main menu to close the program.

  For Technical Support, double-click the e-mail address located at the bottom of each menu.

   

  * After that, perform a disk defragmentation.

  0

Please sign in to leave a comment.