Jump to content


Photo

Unknown - Win2k - 2 Topics Merged...


  • This topic is locked This topic is locked
4 replies to this topic

#1 C.T.D.A.F.A.R.J

C.T.D.A.F.A.R.J

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 May 2007 - 02:34 PM

I'm new here. I have a problem that popped in on my pc on Friday. I had already been running NAV and AGV Virus as well as AGV Spyware, Spybot and Adaware. What has been happening is every time I try and open an IE window, other windows start popping up all over. Some of them are download windows wanting me to save software to my disk. I am able to close all of them, but I can't get them to stop. I ran scans from all of the virus scanners and all of the ad scanners and found several entries on each of them and cleaned them. The problem still persists. When I was running one of the ad scans Norton popped up and said it had found Hacktool and also Trojan.Vundo. It said it had quarentined both of them. This didn't fix anything though so I downloaded and ran Vundofix and it found several entries and removed them. Still have popups. I'm running out of options and scanners. Below is my log from Hijack this and from Vundofix.

I hope you can help me.. This is driving me crazy.

..............................................................................................
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:04:50 PM, on 5/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\tempinst\Hijack\HiJackThis_v2.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {219373D3-DC71-4C9D-B07A-E300DFAED95E} - C:\WINNT\system32\rqrqq.dll (file missing)
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\urqrrsp.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\eovlgsbp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {975A421F-D5DE-AE2B-D90E-8BADDAB974C2} - C:\WINNT\system32\wzh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: 0 - {BEE22228-B73A-4E81-0D86-11B9DFA023FC} - C:\Program Files\microsoft frontpage\lavupazo.dll (file missing)
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINNT\system32\comi.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINNT\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.liv...es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1180214288081
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...039/mcfscan.cab
O20 - Winlogon Notify: urqrrsp - urqrrsp.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

--
End of file - 6675 bytes
..............................................................................................


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 1:40:36 PM 5/27/2007

Listing files found while scanning....

C:\WINNT\system32\adccf.ini
C:\WINNT\system32\fccda.dll
C:\WINNT\system32\jrugeobr.ini
C:\WINNT\system32\qqrqr.bak1
C:\WINNT\system32\qqrqr.bak2
C:\WINNT\system32\qqrqr.ini
C:\WINNT\system32\rboegurj.dll
C:\WINNT\system32\rqrqq.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\adccf.ini
C:\WINNT\system32\adccf.ini Has been deleted!

Attempting to delete C:\WINNT\system32\fccda.dll
C:\WINNT\system32\fccda.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jrugeobr.ini
C:\WINNT\system32\jrugeobr.ini Has been deleted!

Attempting to delete C:\WINNT\system32\qqrqr.bak1
C:\WINNT\system32\qqrqr.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\qqrqr.bak2
C:\WINNT\system32\qqrqr.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\qqrqr.ini
C:\WINNT\system32\qqrqr.ini Has been deleted!

Attempting to delete C:\WINNT\system32\rboegurj.dll
C:\WINNT\system32\rboegurj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rqrqq.dll
C:\WINNT\system32\rqrqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 2:01:15 PM 5/27/2007

Listing files found while scanning....

No infected files were found.

#2 C.T.D.A.F.A.R.J

C.T.D.A.F.A.R.J

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 May 2007 - 08:21 PM

I've run AVG Virus and AVG Spy as well as Norton AV, Adaware, Spybot and none of them have identified what has taken over my browser. I also ran the Trendmicro housecall. No luck with any of them. Is there any other that is better that might be able to identify what is on my pc so I can remove it?

Thanks

#3 C.T.D.A.F.A.R.J

C.T.D.A.F.A.R.J

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2007 - 08:53 AM

Nevermind. Got some help from another forum. Panda found and cleaned up the mess.

Thanks.

#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 30 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#5 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 30 May 2007 - 09:10 AM

It is not appreciated when people post in multiple forums about the same problem since the number of volunteers who do this work is quite limited... We do appreciate that you notified us so none of our volunteers wasted time on your issue...

Please do NOT post in other people's malware topics... In addition to possible harm you can cause, you may also delay that person receiving help...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button