Trojan-downloader.conhook

soidog2
edited December 2007 in Malware talk

Hello everybody !


Some how my laptop is infected with what “PC Tools Spyware Doctor” calls Trojan-Downloader.ConHook


Bitdefender 2008 does not see it.


The symptoms are as follows; at start up some program or ****** overrules the privacy setting in “internet options “ and allows all cookies.


Left unchecked, it tries to open all kinds of web pages and download all kind Trojans ETC.


The following suspect registry values recreate themselves after deletion.


Threat Name - Trojan-Downloader.ConHook


Type - Registry Key


Risk Level - High


Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan


Threat Name - Trojan-Downloader.ConHook


Type - Registry Value


Risk Level - High


Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan, (Default)


Please help me remove this pest !


I will post the HighjackThis log next


Thanks

/applications/core/interface/file/attachment.php?id=1256" data-fileid="1256" rel="">hijackthis.rar

Comments

  • Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:21:19 PM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apvfb.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\WINDOWS\system32\mqsvc.exe
    D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =  Internet Explorer provided by Andrei
    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Zoom &In  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
    O8 - Extra context menu item: Zoom &Out  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - D:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121775805920
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136462966394
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Spyware Doctor\swdsvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 8091 bytes


  • Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.


    Thanks, how about some suggestions on how to deal with the above !

  • Hi,


    I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.


    1-Try VundoFix first (instruction given below).


    Download VundoFix by Atribune to your desktop.

    • Double-click VundoFix.exe to run it.
    • When VundoFix opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix encountered a file it could not remove.


    In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the


    Scan for Vundo button" when VundoFix appears at reboot.


    2. Then run hijackthis, close all open windows, run scan, check the following entry and click on fix:


    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)


    this one looks to me can be fixed also:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Andrei


    3. Please post the contents of C:\vundofix.txt and a new HiJackThis log in this thread.


    In case you have removed the infection and don't want to post the result remove vundofix and its .txt file from your system.


  • Hi,


    I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.


    Will do and post

  • soidog2
    edited December 2007


    Hi,


    I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.


    1-Try VundoFix first (instruction given below).


    As you will see bellow, Vundofix found a few files and fixed them, together with Hijackthis the infestation might have been stopped.


    Thanks, give me a few days to make sure.


    VundoFix V6.7.7


    Checking Java version...


    Java version is 1.4.2.3


    Old versions of java are exploitable and should be removed.


    Java version is 1.4.2.5


    Old versions of java are exploitable and should be removed.


    Scan started at 6:50:15 PM 12/29/2007


    Listing files found while scanning....


    C:\WINDOWS\system32\ciytkdgw.dll


    C:\WINDOWS\system32\dqdoaxkk.ini


    C:\WINDOWS\system32\fmlhjhtp.dll


    C:\WINDOWS\system32\gteertqy.dll


    C:\WINDOWS\system32\hiqlaoyk.dll


    C:\WINDOWS\system32\kkxaodqd.dll


    C:\WINDOWS\system32\ljhfe.dll


    C:\WINDOWS\system32\nohvbchm.dll


    C:\WINDOWS\system32\otbmaaeh.dll


    C:\WINDOWS\system32\pthjhlmf.ini


    Beginning removal...


    Attempting to delete C:\WINDOWS\system32\ciytkdgw.dll


    C:\WINDOWS\system32\ciytkdgw.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\dqdoaxkk.ini


    C:\WINDOWS\system32\dqdoaxkk.ini Has been deleted!


    Attempting to delete C:\WINDOWS\system32\fmlhjhtp.dll


    C:\WINDOWS\system32\fmlhjhtp.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\gteertqy.dll


    C:\WINDOWS\system32\gteertqy.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\hiqlaoyk.dll


    C:\WINDOWS\system32\hiqlaoyk.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\kkxaodqd.dll


    C:\WINDOWS\system32\kkxaodqd.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\ljhfe.dll


    C:\WINDOWS\system32\ljhfe.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\nohvbchm.dll


    C:\WINDOWS\system32\nohvbchm.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\otbmaaeh.dll


    C:\WINDOWS\system32\otbmaaeh.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\pthjhlmf.ini


    C:\WINDOWS\system32\pthjhlmf.ini Has been deleted!


    Performing Repairs to the registry.


    Done!

  • soidog2
    edited December 2007

    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:54:01 PM, on 12/29/2007


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Unable to get Internet Explorer version!


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\SYSTEM32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Apoint\Apoint.exe


    C:\Program Files\Sony\HotKey Utility\HKserv.exe


    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe


    C:\WINDOWS\system32\igfxpers.exe


    C:\WINDOWS\system32\ezSP_Px.exe


    D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Apoint\Apvfb.exe


    C:\Program Files\Apoint\Apntex.exe


    C:\Program Files\Sony\HotKey Utility\HKWnd.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\msdtc.exe


    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe


    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    C:\WINDOWS\System32\svchost.exe


    D:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\system32\mqsvc.exe


    D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\system32\mqtgsvc.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\wuauclt.exe


    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\System32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {15F4A2B3-3119-4658-98E2-EB7B3C53DCDD} - C:\WINDOWS\system32\ljhfe.dll (file missing)


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)


    O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - D:\Program Files\Core Services\Inline Search\InlineSearch.dll


    O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll


    O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - D:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll


    O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe


    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe


    O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe


    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')


    O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


    O8 - Extra context menu item: Zoom &In - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm


    O8 - Extra context menu item: Zoom &Out - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - D:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121775805920


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136462966394


    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)


    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Spyware Doctor\svcntaux.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Spyware Doctor\swdsvc.exe


    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8840 bytes

  • farbar
    farbar
    edited December 2007

    Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.


    But to make sure I suggest the following steps:


    · Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).


    · Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.


    · Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.


    · Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.


    O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll



    · Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.


    · Run VundoBeGone to scan your computer. To do that:


    1.Click here download VundoBeGone and place it to your desktop.


    2. Run VundoBeGone.exe and follow the instruction, it finishes and restarts the computer, you may experience BSOD (blue screen), this is normal.


    Restart computer manually if needed.


    When it finishes it creates a log: VirtumundoBegone (VBG.txt) on your desktop.


    Please post the log with a new hijackthis log.



    At the next step when your system is totally clean we fix the leftover items of hijackthis.


  • soidog2
    edited December 2007


    Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.


    But to make sure I suggest the following steps:


    · Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).


    · Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.


    · Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.


    · Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.


    O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll



    · Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.


    · Run VundoBeGone to scan your computer. To do that:


    OK here's where we are , after rebooting , my privacy settings were reset again. I ran Vundofix once again; it found and deleted the dll you were looking for, together with a couple of other ones.


    VundoBeGone did not find anything.


    I fixed the BHO's in Hijackthis , there are a couple of other ones without any files attached. Will wait for further instructions and post the new logs

  • [12/30/2007, 15:25:16] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )


    [12/30/2007, 15:25:21] - Detected System Information:


    [12/30/2007, 15:25:21] - Windows Version: 5.1.2600, Service Pack 2


    [12/30/2007, 15:25:21] - Current Username: Andrei Tudoran (Admin)


    [12/30/2007, 15:25:21] - Windows is in NORMAL mode.


    [12/30/2007, 15:25:21] - Searching for Browser Helper Objects:


    [12/30/2007, 15:25:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)


    [12/30/2007, 15:25:22] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)


    [12/30/2007, 15:25:22] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()


    [12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.


    [12/30/2007, 15:25:22] - No filename found. Continuing.


    [12/30/2007, 15:25:22] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)


    [12/30/2007, 15:25:22] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)


    [12/30/2007, 15:25:22] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()


    [12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.


    [12/30/2007, 15:25:22] - No filename found. Continuing.


    [12/30/2007, 15:25:22] - Finished Searching Browser Helper Objects


    [12/30/2007, 15:25:22] - Finishing up...


    [12/30/2007, 15:25:22] - Nothing found! Exiting...


    [12/30/2007, 15:36:50] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )


    [12/30/2007, 15:36:52] - Detected System Information:


    [12/30/2007, 15:36:52] - Windows Version: 5.1.2600, Service Pack 2


    [12/30/2007, 15:36:52] - Current Username: Andrei Tudoran (Admin)


    [12/30/2007, 15:36:52] - Windows is in NORMAL mode.


    [12/30/2007, 15:36:52] - Searching for Browser Helper Objects:


    [12/30/2007, 15:36:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)


    [12/30/2007, 15:36:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)


    [12/30/2007, 15:36:52] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()


    [12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.


    [12/30/2007, 15:36:52] - No filename found. Continuing.


    [12/30/2007, 15:36:52] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)


    [12/30/2007, 15:36:52] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)


    [12/30/2007, 15:36:52] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()


    [12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.


    [12/30/2007, 15:36:52] - No filename found. Continuing.


    [12/30/2007, 15:36:52] - Finished Searching Browser Helper Objects


    [12/30/2007, 15:36:52] - Finishing up...


    [12/30/2007, 15:36:52] - Nothing found! Exiting...

  • VundoFix V6.7.7


    Checking Java version...


    Java version is 1.4.2.3


    Old versions of java are exploitable and should be removed.


    Java version is 1.4.2.5


    Old versions of java are exploitable and should be removed.


    Scan started at 8:54:37 AM 12/30/2007


    Listing files found while scanning....


    C:\WINDOWS\system32\hoksfkyw.dll


    C:\WINDOWS\system32\ijdulmpl.ini


    C:\WINDOWS\system32\lpmludji.dll


    Beginning removal...


    Attempting to delete C:\WINDOWS\system32\hoksfkyw.dll


    C:\WINDOWS\system32\hoksfkyw.dll Has been deleted!


    Attempting to delete C:\WINDOWS\system32\ijdulmpl.ini


    C:\WINDOWS\system32\ijdulmpl.ini Has been deleted!


    Attempting to delete C:\WINDOWS\system32\lpmludji.dll


    C:\WINDOWS\system32\lpmludji.dll Has been deleted!


    Performing Repairs to the registry.


    Done!


    VundoFix V6.7.7


    Checking Java version...


    Java version is 1.4.2.3


    Old versions of java are exploitable and should be removed.


    Java version is 1.4.2.5


    Old versions of java are exploitable and should be removed.


    Scan started at 10:38:39 AM 12/30/2007


    Listing files found while scanning....


    No infected files were found.

  • Removed old java & will post Vundofix backup with the the infected files, remove the "bad" extension !


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 3:44:04 PM, on 12/30/2007


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Unable to get Internet Explorer version!


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\SYSTEM32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\msdtc.exe


    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe


    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    C:\WINDOWS\System32\svchost.exe


    D:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\system32\mqsvc.exe


    D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\system32\mqtgsvc.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Apoint\Apoint.exe


    C:\Program Files\Sony\HotKey Utility\HKserv.exe


    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe


    C:\WINDOWS\system32\igfxpers.exe


    C:\Program Files\Apoint\Apntex.exe


    C:\WINDOWS\system32\ezSP_Px.exe


    C:\Program Files\Apoint\Apvfb.exe


    D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Sony\HotKey Utility\HKWnd.exe


    C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe


    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\System32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)


    O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - D:\Program Files\Core Services\Inline Search\InlineSearch.dll


    O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - D:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll


    O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe


    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe


    O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe


    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')


    O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


    O8 - Extra context menu item: Zoom &In  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm


    O8 - Extra context menu item: Zoom &Out  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll


    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - D:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121775805920


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136462966394


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)


    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Spyware Doctor\svcntaux.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Spyware Doctor\swdsvc.exe


    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8574 bytes

  • farbar
    farbar
    edited December 2007

    Hi again,


    The browser hijacker is gone and there is no more infection on your Hijack log. I expect you have got control over your browser again. Yet run VunoFix once to make sure there is no left over files. After that lets do some cleaning:


    1. Run hijackthis, close all windows including this one.click "Do a system scan only", check the following items and click on fix checked:


    O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)


    O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)


    O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)


    2. Empty your Temp folder, to do this:


    First unhide the Temp folder by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders. If you have not return the setting to default I believe you have done this before and don't need to do it again.


    Second reboot your computer then go C:\Documents and Settings\Andrei Tudoran \Local settings\Temp. Open Temp then click on one of the files inside it, then Ctrl+A to choose all the content and then delete to empty your Temp folder.


    3. Go to start-control panel- Internet options- General- click delete- delete all- check 'Also delete files and settings stored by add-ons'


    4. Go to start-run- type "cleanmgr.exe" (without "), it shows C drive to be cleaned, click OK, check all the items or at least Temporary internet files, Temporary files and Recycle Bin. Click Ok to confirm.


    5. Reboot and check if your computer is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore point. Reboot and don't forget to uncheck "the turn off system restore on' to create a clean restore point.


    6. Update spyware doctor and do a complete scan, it eventually removes the (harmless) registry left overs. Update BitDefender and do a deep scan. Remove VunoFix and VundoBeGone.


    If you need further assistance report back. Don't forget: Prevention is better than cure.


    Success!


  • H6. Update spyware doctor and do a complete scan, it eventually removes the (harmless) registry left overs. Update BitDefender and do a deep scan. Remove VunoFix and VundoBeGone.


    If you need further assistance report back. Don't forget: Prevention is better than cure.


    Success!


    Done everything, computer squeaky clean !


    Thanks for your help, it was a learning experience.


  • You are welcome soidog2. I am glad everything is fine.


    Have a nice day, and a happy new year in advance.