Tech Support Forum - View Single Post

tetonbob · 09-27-2006, 08:56 PM

You appear to have run combofix three times:

Completion time: 27/09/2006 15:35:27.07
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Please post the other two logs, ComboFix2.txt and ComboFix3.txt at the end of this fix.

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\redir.sys
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Then repeat as above for the following files in BOLD:

C:\WINDOWS\system32\VchReg.dll

C:\WINDOWS\unvise32qt.exe

I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run Ewido

From the main ewido screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit Ewido. DO NOT scan yet.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0D93E5DB-660E-46D9-8C32-16A54007E21E} - (no file)
O2 - BHO: (no name) - {313E76EF-4AC1-4174-9F5A-6210B32AD8DF} - (no file)
O2 - BHO: (no name) - {79EEA737-C949-415D-89A2-29ECF9118851} - (no file)
O2 - BHO: (no name) - {810280A0-A5AA-487F-842F-D3EBDC258236} - (no file)
O2 - BHO: (no name) - {85B75BBE-C184-47FA-BE59-E7D85B3E96DF} - (no file)
O2 - BHO: (no name) - {A9F75427-139B-4A82-B143-62A57ABC897E} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - {D8784CA3-8CE8-4134-B478-152630B57F82} - (no file)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WinMediaCodec

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINDOWS\system32\hdgcynuc.dll
C:\WINDOWS\system32\urutiaxa.exe
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ddcyw.dll
C:\jswudopx.bat
C:\WINDOWS\system32\jkhhe.dll
C:\jswudopx.exe
C:\oorwopjo.exe
C:\dlkvnr.exe
C:\Program Files\WinMediaCodec

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8 - http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix2.txt and ComboFix3.txt
VirusTotal
Ewido
Panda
HJT

09-27-2006, 08:56 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	You appear to have run combofix three times: Completion time: 27/09/2006 15:35:27.07 ComboFix.txt ComboFix2.txt ComboFix3.txt Please post the other two logs, ComboFix2.txt and ComboFix3.txt at the end of this fix. Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD: C:\redir.sys Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. Then repeat as above for the following files in BOLD: C:\WINDOWS\system32\VchReg.dll C:\WINDOWS\unvise32qt.exe I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix. Run Ewido From the main ewido screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit Ewido. DO NOT scan yet. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {0D93E5DB-660E-46D9-8C32-16A54007E21E} - (no file) O2 - BHO: (no name) - {313E76EF-4AC1-4174-9F5A-6210B32AD8DF} - (no file) O2 - BHO: (no name) - {79EEA737-C949-415D-89A2-29ECF9118851} - (no file) O2 - BHO: (no name) - {810280A0-A5AA-487F-842F-D3EBDC258236} - (no file) O2 - BHO: (no name) - {85B75BBE-C184-47FA-BE59-E7D85B3E96DF} - (no file) O2 - BHO: (no name) - {A9F75427-139B-4A82-B143-62A57ABC897E} - (no file) O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file) O2 - BHO: (no name) - {D8784CA3-8CE8-4134-B478-152630B57F82} - (no file) Close HijackThis now. --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WinMediaCodec --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\WINDOWS\system32\hdgcynuc.dll C:\WINDOWS\system32\urutiaxa.exe C:\WINDOWS\system32\vturq.dll C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\ddcyw.dll C:\jswudopx.bat C:\WINDOWS\system32\jkhhe.dll C:\jswudopx.exe C:\oorwopjo.exe C:\dlkvnr.exe C:\Program Files\WinMediaCodec --------------------------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8 - http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: ComboFix2.txt and ComboFix3.txt VirusTotal Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009