Jump to content

Recommended Posts

Hi and welcome to Malwarebytes. Please follow these instructions:

Removal:

1) Download Malwarebytes' RogueRemover Free or Malwarebytes' RogueRemover PRO

from one of these links.

Malwarebytes' RogueRemover Free - http://www.malwarebytes.org/rogueremover.php

Malwarebytes' RogueRemover PRO - http://www.malwarebytes.org/rogueremoverpro.php

2) Install it and start it up.

3) Press Check for Updates

4) It will tell you that there is a newer version of the database. Press

Download

5) Go back to the main screen and press Scan

6) If an infection is found, remove all objects found.

Then post a log as a reply to this post, using this program http://www.trendsecure.com/portal/en-US/th...p?page=download from that log we can be sure you are infection free.

Link to post
Share on other sites

I can't upload files. Here it is copied from the Excel file.

Virus Scan Logs 7/5/2007 BASEMENT2

Time Security Feature Source Type Virus Name File Name First Action Second Action

15:58 Manual Scan File JAVA_STREAM.AA Matrix.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\6.0\12\7599fd0c-20e313c4) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.C Counter.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\6.0\12\7599fd0c-20e313c4) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.A Parser.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\6.0\12\7599fd0c-20e313c4) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.A Dummy.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\6.0\12\7599fd0c-20e313c4) Quarantine Fail

15:58 Manual Scan File --- C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\6.0\12\7599fd0c-20e313c4 Quarantine Success

15:58 Manual Scan File JAVA_BYTEVER.DE C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-37cb8dd2-1800c17f.class Quarantine Success

15:58 Manual Scan File JAVA_STREAM.AA Matrix.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv605.jar-1fe3f9bf-32d1b5b5.zip) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.C Counter.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv605.jar-1fe3f9bf-32d1b5b5.zip) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.A Dummy.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv605.jar-1fe3f9bf-32d1b5b5.zip) Quarantine Fail

15:58 Manual Scan File JAVA_BYTEVER.A Parser.class (C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv605.jar-1fe3f9bf-32d1b5b5.zip) Quarantine Fail

15:58 Manual Scan File --- C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv605.jar-1fe3f9bf-32d1b5b5.zip Quarantine Success

16:14 File Monitor File WORM_SPYBOT.AVT C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP692\A0127004.exe Quarantine Success

16:18 Manual Scan File TROJ_Generic C:\Program Files\CureROM\C15EB51F.exe Quarantine Success

16:43 Manual Scan File TROJ_ZLOB.EAW C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP633\A0116580.exe Quarantine Success

16:43 Manual Scan File TROJ_ZLOB.BVP C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP633\A0116581.dll Quarantine Success

16:46 Manual Scan File TROJ_Generic C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP693\A0127020.exe Quarantine Success

16:59 Manual Scan File TROJ_FAKEALRT.N C:\WINDOWS\system32\1024\ld4E58.tmp Quarantine Success

17:00 Manual Scan File Possible_Zlob C:\WINDOWS\system32\ld101.tmp None Taken

Link to post
Share on other sites

The log you need to post is from the program in the initial instructions you were given. Use the save file function in the program. Do not save it in any other format. Copy and paste it as a reply in this thread.

What is this log you posted from?

Link to post
Share on other sites

The link you gave me has been shortened and gives me an error page. http://www.trendsecure.com/portal/en-US/th...p?page=download

I followed it back to the TrendSecure website and to this page http://www.trendsecure.com/portal/en-US/do...ad/download.php

From there I downloaded Trend Micro Internet Security 2007 [PC-cillin]. I looked over the site again and found this program http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download' rel="external nofollow">http://www.trendsecure.com/portal/en-US/th...p?page=download'>http://www.trendsecure.com/portal/en-US/th...p?page=download which matches the shortened URL.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:32:57 PM, on 7/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\hphmon06.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\ALCMTR.EXE

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\svchost.exe

C:\DOCUME~1\Colin\LOCALS~1\Temp\bwgo0000b1ac.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 85.17.40.71 oink.me.uk

O1 - Hosts: 85.17.40.69 tracker.oink.me.uk

O1 - Hosts: 85.17.40.70 irc.oink.me.uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll (file missing)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [spywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe /h

O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\aldknasd\Program\Updates from HP.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\..\{137CB8D5-AA44-40E8-AD94-DA2BF980DD65}: NameServer = 71.243.0.12,71.250.0.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{401C9CD0-868F-4C0B-8CC3-CE5362899864}: NameServer = 71.243.0.12,71.250.0.12

O17 - HKLM\System\CS1\Services\Tcpip\..\{137CB8D5-AA44-40E8-AD94-DA2BF980DD65}: NameServer = 71.243.0.12,71.250.0.12

O22 - SharedTaskScheduler: coronally - {1b17f1db-790e-4d42-8e0c-d4d19123ee5b} - C:\WINDOWS\system32\xnvaogd.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Lan Discover Agent (magaService) - Unknown owner - c:\Program Files\Sygate\SSA\maga\maga.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--

End of file - 8571 bytes

Link to post
Share on other sites

They just released the program to a non beta that probably broke the link we have been using. That is the program you need to get, be sure you put it into a folder on your hard drive. Then run the scan and post the log here. Did you update RogueRemover before you did a scan? Where is the other log you posted from?

Link to post
Share on other sites

Run the HiJack This program again and put a check next to this line:

O22 - SharedTaskScheduler: coronally - {1b17f1db-790e-4d42-8e0c-d4d19123ee5b} - C:\WINDOWS\system32\xnvaogd.dll

Reboot and see if that does it. It should fix your problem. If not let me know.

Link to post
Share on other sites

Your Java Runtime is not the current version you should update it for security reasons. Since this issue appears to be resolved I will now close this thread. Should you require further assistance send a PM to a moderator or administrator and we can reopen the topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.