Status
Not open for further replies.
1 - 11 of 11 Posts

#### oosoulstaroo

·
##### Registered
Joined
·
8 Posts
Discussion Starter
ok, so, my computer has recently got the vundo virus and winfixer/winantispyware/kpsn viruses or trojans. ive tried to get rid of them by scanning w/ adaware, spybot, norton, and trend micro. norton detects some vundo files but cannot get rid of them. following is my scan log from hijack this.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05

***Security Programs Detected***

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:35:32 PM, on 10/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\tppaldr.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINNT\CY_BG.EXE
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\rqrsq.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\hgdbb.dll
O2 - BHO: (no name) - {E0AB978F-56AB-465D-9ACD-4E29DAC7BE28} - blank (file missing)
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124243808603
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: hgdbb - C:\WINNT\system32\hgdbb.dll
O20 - Winlogon Notify: rqrsq - C:\WINNT\SYSTEM32\rqrsq.dll
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

thx in advance for any help you can give me. as instructed in the forums and as you can see, i have used the hijack this analyzer.

thx again.

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please print these instructions out for use in Safe Mode.

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
• C:\WINNT\SYSTEM32\rqrsq.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):
• C:\WINNT\SYSTEM32\qsrqr.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\rqrsq.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\hgdbb.dll
O2 - BHO: (no name) - {E0AB978F-56AB-465D-9ACD-4E29DAC7BE28} - blank (file missing)
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/am....1.11_en_dl.cab
O20 - Winlogon Notify: hgdbb - C:\WINNT\system32\hgdbb.dll
O20 - Winlogon Notify: rqrsq - C:\WINNT\SYSTEM32\rqrsq.dll
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

1st filepath - C:\WINNT\system32\hgdbb.dll

2nd filepath - C:\WINNT\system32\bbdgh.*

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After rebooting, continue with the instructions below.

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
• Weatherbug
ViewPoint
WildTangent

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
• C:\Program Files\Viewpoint\
C:\Program Files\WildTangent\
C:\Program Files\AWS\
Locate and delete the following files:
• C:\WINNT\CY_BG.EXE
C:\WINNT\repair\odbckey.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
• Empty Recycle Bins
• Delete Prefetch files
• Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then, perform an online scan with Internet Explorer with Panda ActiveScan
1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
Begin the scan by selecting My Computer
• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#### oosoulstaroo

·
##### Registered
Joined
·
8 Posts
Discussion Starter
alright, so.... it didnt quite work. what happened was i went into safe mode.

afterwards i used the killvundo.bat file and typed in the filepaths. after entering the second path, it gave me a message saying that the filepaths could not be found. i know that the problem files are hgdbb and rqrsq.dll cuz of the scan i did w/ norton antivirus. so... i dunno. what should i do next?

#### Ried

·
##### TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello oosoulstaroo,

Try entering the second file this way: C:\WINNT\system32\bbdgh.dll Copy/paste if you must--this needs to be exact.

#### oosoulstaroo

·
##### Registered
Joined
·
8 Posts
Discussion Starter
well, i tried that and it still didnt work. maybe i should put the filepaths as C:\WINNT\SYSTEM32\rqrsq.dll and C:\WINNT\SYSTEM32\hgdbb.dll since those are the files that come up as problem files in my antivirus scans.

im not going to do it until i hear from you guys. i dont want to damage the system.

#### Ried

·
##### TSF Security Manager, Emeritus
Joined
·
42,837 Posts
I understand your reasoning there, but the second entry needs to be the same file as the first--only spelled backwards, so entering 2 different files won't help. :smile:

Repeat sUBs instructions for both of those files as layed out by him, but use the extension .dll instead of the asterisk. If it still gives you an error that path is invalid, just continue with the rest of the fix as layed out by sUBs.

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please post a new HJT log

#### oosoulstaroo

·
##### Registered
Joined
·
8 Posts
Discussion Starter
heres my new hjt log. i just posted a new log, i didnt do what ried's said yet.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05

***Security Programs Detected***

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:54:41 PM, on 10/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\tppaldr.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINNT\CY_BG.EXE
C:\WINNT\system32\tbctray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\rqrsq.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\hgdbb.dll
O2 - BHO: (no name) - {E0AB978F-56AB-465D-9ACD-4E29DAC7BE28} - blank (file missing)
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124243808603
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: hgdbb - C:\WINNT\system32\hgdbb.dll
O20 - Winlogon Notify: rqrsq - rqrsq.dll (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
One of the file sets seem to have been deleted. This makes our work easier.

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
• C:\WINNT\system32\hgdbb.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):
• C:\WINNT\system32\bbdgh.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
• R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\rqrsq.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\hgdbb.dll
O2 - BHO: (no name) - {E0AB978F-56AB-465D-9ACD-4E29DAC7BE28} - blank (file missing)
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/am....1.11_en_dl.cab
O20 - Winlogon Notify: hgdbb - C:\WINNT\system32\hgdbb.dll
O20 - Winlogon Notify: rqrsq - rqrsq.dll (file missing)
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After rebooting, continue with the instructions below.

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
• Weatherbug
ViewPoint
WildTangent
VVSN

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
• C:\Program Files\Viewpoint\
C:\Program Files\WildTangent\
C:\Program Files\VVSN\
C:\Program Files\AWS\
Locate and delete the following files:
• C:\WINNT\CY_BG.EXE
C:\WINNT\repair\odbckey.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
• Empty Recycle Bins
• Delete Prefetch files
• Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then, perform an online scan with Internet Explorer with Panda ActiveScan
1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
Begin the scan by selecting My Computer
• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#### oosoulstaroo

·
##### Registered
Joined
·
8 Posts
Discussion Starter
here are the new scan logs.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05

***Security Programs Detected***

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:01:37 PM, on 10/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\tppaldr.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124243808603
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Incident Status Location

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Suspending PID 136 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Killing PID 520 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Killing PID 184 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Uninstall these programs if present, using Add/Remove programs:

180Solutions
VVSN
WildTangent

Have HijackThis fix these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [odbckey] C:\WINNT\repair\odbckey.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINNT\CY_BG.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

Delete these files/folders:

C:\WINNT\repair\odbckey.exe
C:\Program Files\Viewpoint\
C:\WINNT\CY_BG.EXE
C:\Program Files\VVSN\
C:\Program Files\WildTangent\

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
• Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

• Double-click the tmas-web-scan.exe icon
• Click "Start Scan"
After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.