Hello Sempurna,
Posting logs from VundoFix, OTmoveIt, Dr Web cureIt scans. Actually I had unintalled Mcafee when it failed to remove the viruses/trojans that infected my computer. I tried running mcAfee VirusScan in DOS / SAFE mode which said it deleted all viruses/trojans but when I rebooted in Normal mode, the viruses were coming back and disabling Mcafee. Hence I had uninstalled. Now I have installed again and finally took a HJT scan. I did not install active virus schield. I am planning to upgrade to Macfee Internet security (or Panda internet security as it is cheaper), let me know if that is bad idea.
===== VundoFix log =======
VundoFix V6.3.9
Checking Java version...
Sun Java not detected
Scan started at 7:27:51 PM 2/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
=======end of VundoFix log ============
===== OTMoveIt log =======
File/Folder C:\WINDOWS\system32\svchosts.exe not found.
File/Folder C:\WINDOWS\system32\dxdlg32.exe not found.
File/Folder C:\WINDOWS\system32\kernels88.exe not found.
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001} moved successfully.
File/Folder C:\Windows\xpupdate.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q6.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q7.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q6.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q7.exe not found.
File/Folder C:\WINDOWS\system32\ideoept.dll not found.
File/Folder C:\WINDOWS\system32\adirss.exe not found.
LoadLibrary failed for C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\a3dxq.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\a3dxq.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll NOT unregistered.
File move failed. C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\System32\wins\DLLHOST.EXE not found.
File/Folder C:\WINDOWS\System32\wins\svchost.exe not found.
C:\WINDOWS\System32\wins moved successfully.
Created on 02/22/2007 19:58:35
===== End of OTMoveIt log =======
===== Dr Web CureIt log =======
msnetax.dll;c:\windows\system32;Trojan.Sender;Deleted.;
wuauclt.exe;c:\windows\temp;Trojan.DownLoader.18510;Deleted.;
exe.exe;C:\;Trojan.Proxy.1390;Deleted.;
svchost2.exe;C:\;Trojan.AVKill.252;Deleted.;
setup[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BCVDC12O;Trojan.Packed.32;Deleted.;
ma[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\10XDBVKI;Trojan.Packed.32;Deleted.;
rproxy[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\10XDBVKI;Trojan.Proxy.1390;Deleted.;
pp[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1HCG86S;Trojan.Packed.32;Deleted.;
Yazzle1122OinAdmin.exe\data001;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
system.dll;C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001};Trojan.DownLoader.17799;Deleted.;
Uninstall.exe;C:\Program Files\SpySheriff;Adware.Spysheriff;Renamed.;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.17799;Deleted.;
xxee;C:\RECYCLER\S-1-5-18\Dc4;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc5;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc6;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc7;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc8;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc9;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc1;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc2;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc3;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc4;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc6;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc7;Trojan.DownLoader.17799;Deleted.;
xpupdate.vxe;C:\WINDOWS;Trojan.Packed.30;Deleted.;
dd.exe;C:\WINDOWS\system32;Trojan.Packed.31;Deleted.;
dlh9jkd1q2.vxe;C:\WINDOWS\system32;Trojan.Packed.30;Deleted.;
setup.exe;C:\WINDOWS\system32;Trojan.Packed.32;Deleted.;
sm.exe;C:\WINDOWS\system32;Trojan.Packed.31;Deleted.;
wsys.dll;C:\WINDOWS\system32;Trojan.MulDrop.5450;Will be cured after reboot.;
cel90xbe.sys;C:\WINDOWS\temp;Trojan.NtRootKit.206;Will be cured after reboot.;
winsys2f.dll;C:\_OTMoveIt\MovedFiles\Documents and Settings\All Users\Documents\Settings;BackDoor.Uragan;Deleted.;
system.dll;C:\_OTMoveIt\MovedFiles\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001};Trojan.DownLoader.17799;Deleted.;
===== End of Dr Web CureIt log =======
Reinstalled McAfee VisusScan...
=== HJT log after Mcafee VirusScan reinstallation =======
Logfile of HijackThis v1.99.1
Scan saved at 11:09:18 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\zHotkey.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\NZSearch\nzspc.exe
C:\WINDOWS\FNTS~1\chkdsk.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {8049C913-2385-5D21-8848-2A909BA33FE9} - C:\WINDOWS\system32\gka.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\WINDOWS\FNTS~1\chkdsk.exe" -vt yazb
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) -
http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) -
http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) -
http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
================
Computer seems to be okay now, let me know if any further steps I need to take (should I use Active Virus shield rather than McAfee). Thanks!