Author Topic: someone plz help me remove this worm vb.ce (Read 982 times)

birdman · « **on:** January 01, 2006, 07:18:40 PM »

Logfile of HijackThis v1.99.1
Scan saved at 6:14:20 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marcus\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.yahoo.com/zzzzzzzzlll?intl...n&ver=7,0,0,437
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E11725F-6298-4F18-8C4F-C48A16BCDE44}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

i dont have any problems as of yet but my virus scanner picks up worm vb.ce can anyone help me remove this please......!!!!!!

guestolo · « **Reply #1 on:** January 01, 2006, 08:21:22 PM »

Where is your AV finding this bad guy?
How many AV's do you have running
It appears you use AVG but I also see an entry for AntiVir?

Can you do the following please, just want to check on something

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

birdman · « **Reply #2 on:** January 02, 2006, 12:26:14 AM »

Thanks guys for helping me rid my computer of this worm.
I only use one AV i uninstalled the other i dont even remember what waz on there.
ok first ill post the

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/3/2004 7:07:00 PM 41397 C:\WINNT\SYSTEM32\dfrg.msc
PECompact2 12/7/2005 1:38:52 PM 2714976 C:\WINNT\SYSTEM32\MRT.exe
aspack 12/7/2005 1:38:52 PM 2714976 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/3/2004 7:07:00 PM 708096 C:\WINNT\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 7:07:00 PM 657920 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 8/3/2004 7:07:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG! 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
PEC2 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/1/2006 10:50:02 PM S 2048 C:\WINNT\bootstat.dat
12/20/2005 6:51:40 PM H 363912 C:\WINNT\ShellIconCache
12/20/2005 9:24:16 PM RH 749 C:\WINNT\WindowsShell.Manifest
12/20/2005 9:02:56 PM S 64 C:\WINNT\CSC\00000001
12/20/2005 9:24:28 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini
12/20/2005 9:25:50 PM HS 67 C:\WINNT\Fonts\desktop.ini
12/21/2005 12:46:40 AM H 0 C:\WINNT\inf\oem11.inf
12/20/2005 9:24:28 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini
12/20/2005 9:25:08 PM RHS 727 C:\WINNT\pchealth\helpctr\PackageStore\package_1.cab
12/20/2005 9:25:08 PM RHS 19854 C:\WINNT\pchealth\helpctr\PackageStore\package_2.cab
12/20/2005 9:25:08 PM RHS 244933 C:\WINNT\pchealth\helpctr\PackageStore\package_3.cab
12/20/2005 9:26:58 PM H 249856 C:\WINNT\repair\ntuser.dat
12/19/2005 4:22:14 PM H 10842 C:\WINNT\system32\ATMenuxx.GID
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\cdplayer.exe.manifest
12/20/2005 9:24:28 PM RH 488 C:\WINNT\system32\logonui.exe.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\ncpa.cpl.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\nwc.cpl.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\sapi.cpl.manifest
1/1/2006 9:10:20 PM H 35870 C:\WINNT\system32\vsconfig.xml
12/20/2005 9:24:28 PM RH 488 C:\WINNT\system32\WindowsLogon.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\wuaucpl.cpl.manifest
12/26/2005 5:21:22 AM H 4212 C:\WINNT\system32\zllictbl.dat
11/30/2005 10:17:10 PM S 21633 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 6:12:48 PM S 10925 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/1/2006 10:50:12 PM H 40960 C:\WINNT\system32\config\default.LOG
12/20/2005 3:09:56 PM H 0 C:\WINNT\system32\config\default.tmp.LOG
1/1/2006 10:52:10 PM H 1024 C:\WINNT\system32\config\SAM.LOG
1/1/2006 10:50:02 PM H 16384 C:\WINNT\system32\config\SECURITY.LOG
1/1/2006 10:52:10 PM H 69632 C:\WINNT\system32\config\software.LOG
12/20/2005 3:09:54 PM H 0 C:\WINNT\system32\config\software.tmp.LOG
1/1/2006 10:50:08 PM H 819200 C:\WINNT\system32\config\system.LOG
12/20/2005 3:09:46 PM H 0 C:\WINNT\system32\config\system.tmp.LOG
12/20/2005 3:09:36 PM H 1024 C:\WINNT\system32\config\TempKey.LOG
12/20/2005 3:09:56 PM H 1024 C:\WINNT\system32\config\userdiff.LOG
12/20/2005 9:37:30 PM H 1024 C:\WINNT\system32\config\userdifr.LOG
12/21/2005 7:46:48 PM H 1024 C:\WINNT\system32\config\systemprofile\ntuser.dat.LOG
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Application Data\desktop.ini
12/20/2005 9:26:58 PM S 1047 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/20/2005 9:26:56 PM S 1370 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/20/2005 9:26:58 PM S 126 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/20/2005 9:26:56 PM S 194 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Local Settings\desktop.ini
12/20/2005 9:24:32 PM HS 348 C:\WINNT\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini
12/20/2005 9:24:32 PM HS 181 C:\WINNT\system32\config\systemprofile\SendTo\desktop.ini
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Start Menu\desktop.ini
12/20/2005 9:26:54 PM HS 148 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\desktop.ini
12/20/2005 9:26:52 PM HS 482 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
12/20/2005 9:26:52 PM HS 348 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
12/20/2005 9:26:52 PM HS 84 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
12/20/2005 9:26:52 PM HS 84 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
12/20/2005 6:50:12 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\58fb89f9-d3cc-4923-af97-ccff153d3241
12/20/2005 6:50:12 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
12/20/2005 9:34:34 PM HS 352 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\61b441ba-c637-4d4a-8e4f-ebfaf22c702c
12/20/2005 10:34:38 PM HS 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\ecf4dbf3-65d0-409b-a4f2-431d3ce4eff0
12/20/2005 10:34:38 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/1/2006 10:48:48 PM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 549888 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 110592 C:\WINNT\SYSTEM32\bthprops.cpl
Labtec Inc. 2/12/2004 4:59:12 PM 151552 C:\WINNT\SYSTEM32\CamCpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 135168 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 80384 C:\WINNT\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155136 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 358400 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 129536 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 380416 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 187904 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 618496 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 35840 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 25600 C:\WINNT\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 257024 C:\WINNT\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 36864 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 32768 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 114688 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 298496 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 28160 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 94208 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 148480 C:\WINNT\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 549888 C:\WINNT\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 135168 C:\WINNT\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 80384 C:\WINNT\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155136 C:\WINNT\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 358400 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 129536 C:\WINNT\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 187904 C:\WINNT\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 618496 C:\WINNT\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 35840 C:\WINNT\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 25600 C:\WINNT\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 257024 C:\WINNT\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 36864 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 32768 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 114688 C:\WINNT\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155648 C:\WINNT\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 298496 C:\WINNT\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 28160 C:\WINNT\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 94208 C:\WINNT\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 148480 C:\WINNT\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/20/2005 9:26:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/26/2005 5:08:14 AM 702 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpywareBlaster.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/20/2005 9:12:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/20/2005 9:26:52 PM HS 84 C:\Documents and Settings\marcus\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/20/2005 9:12:14 PM HS 62 C:\Documents and Settings\marcus\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
    = %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
    = C:\WINNT\system32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
   Yahoo! Toolbar Helper = C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {EF99BD32-C1FB-11D2-892F-0090271D4F88}    = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Synchronization Manager   mobsync.exe /logon
   AtiPTA   atiptaxx.exe
   AVGCtrl   "C:\Program Files\AVPersonal\AVGNT.EXE" /min
   LogitechVideoRepair   C:\Program Files\Logitech\Video\ISStart.exe
   LogitechVideoTray   C:\Program Files\Logitech\Video\LogiTray.exe
   AVG7_CC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
   Zone Labs Client   C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Yahoo! Pager   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\system32\stobject.dll
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINNT\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
    = wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/1/2006 11:01:08 PM

OK NEXT IS MY AVG HISTORY LOG

<rec time="2005/12/30 20:47:41" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 02:40:06" user="marcus" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\DOCUME~1\marcus\LOCALS~1\Temp\Temporary Directory 1 for Limewire Pro 4.10.0 Final + All Skins.zip\Setup.exe</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/VB.CC</attr>
</rec>
- <rec time="2005/12/31 02:40:32" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\DOCUME~1\marcus\LOCALS~1\Temp\Temporary Directory 1 for Limewire Pro 4.10.0 Final + All Skins.zip\Setup.exe</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\My Documents\Limewire Pro 4.10.0 Final + All Skins.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CC</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2005/12/31 02:41:51" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\My Documents\Limewire Pro 4.10.0 Final + All Skins.zip</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2005/12/31 02:43:21" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2005/12/31 03:02:05" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 08:00:03" user="SYSTEM" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2005/12/31 08:17:37" user="SYSTEM" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\My Documents\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CE</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2005/12/31 11:13:39" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\My Documents\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2006/01/01 16:56:17" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2006/01/01 16:58:08" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\Shared\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CE</attr>
</rec>
- <rec time="2006/01/01 17:12:07" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2006/01/01 17:12:08" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\Shared\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/01/01 17:18:28" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2006/01/01 17:33:55" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
</history>

Ok i hope that helps you help me ,i just got this computer and would hate to lose it because
i waz downloading programs from limewire but i should of know better......thx

guestolo · « **Reply #3 on:** January 02, 2006, 12:49:06 AM »

I want you to run thru a few scans please to see what we can clean and pickup

Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Download and save p2pnetwork.zip
Then UNZIP it to the BFU Folder
So you now have p2pnetwork.bfu extracted to the BFU folder

Download and save and then UNZIP to the BFU folder
BFU.zip
So you now have BFU.exe extracted

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

If you don't have the latest version of Ad-Aware
Download and InstallAd-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
In the event you already have Ad-aware, check for updates now please

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

Once in safe mode
Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
Remain in safe mode for the following

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections

Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode

Back in Windows

Can I see the following
1. Post a fresh hijackthis log
2. Post the whole report from Ewido's you saved earlier

birdman · « **Reply #4 on:** January 02, 2006, 04:25:57 AM »

Logfile of HijackThis v1.99.1
Scan saved at 6:14:20 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marcus\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.yahoo.com/zzzzzzzzlll?intl...n&ver=7,0,0,437
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E11725F-6298-4F18-8C4F-C48A16BCDE44}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

THIS IS THE ONLY REPORT I SEEN FOR EWIDO

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:52:15 AM, 1/2/2006
+ Report-Checksum:      49C71749

+ Scan result:

   :mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup

::Report End

Ok it found 12 infection which were deleted ...I hope this helps you help me........thx for the great help..!!

guestolo · « **Reply #5 on:** January 02, 2006, 04:41:36 AM »

How's everything running?
Those were just cookies
If you run a scan with AVG, let me know if it finds anything in the System volume information folder
I'll check back later as I'm off to be soon

birdman · « **Reply #6 on:** January 02, 2006, 05:09:03 AM »

Everything seems in tip top shape .i ran virus scanner came up with no viruses or errors
thanks guestlolo for all your help.those cookies had me a little nervous.What should i now do with all these
programs i have downloaded when trial runs out,should i keep spyblaster with all of these other programs i would
not want to cause conflict between them..........anywayz you guyz are the best and have helped me out alot....

guestolo · « **Reply #7 on:** January 02, 2006, 02:32:55 PM »

Let's do the following
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

The tools you have
You can manually delete the following folder
C:\BFU <-this folder

Also delete WPFind.zip and the WPfind folder

I would hold onto Ad-Aware and check for updates every couple of weeks and run a scan
Optionally, I would also hold onto CleanUp! to clean your temp files, cookies, etc.. every week
Ewido is also a great tool, I run it once a month
It will be a limited version in a couple weeks, but still a great scanner
and still removes bad guys

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

SpywareBlaster, do not get rid of it
It is free, but you look like you bought the version your using
That's as good as Donating to Javacools, I'm sure they appreciate it very much
There was a recent update with SpywareBlaster program, did you get notified of it?
You should now be using version 3.5.1
Be sure to use proper uninstall and install procedures if you haven't updated yet...

birdman · « **Reply #8 on:** January 03, 2006, 01:20:32 AM »

Alright system restore has been turned off and then enabled also ive updated spyblaster ...
So i think im good to go .Everything seems to be running smooth as silk .

thanks,
marcus

guestolo · « **Reply #9 on:** January 03, 2006, 01:27:20 AM »

Good work Marcus
I seen you were reading the sticky at the top of the forum
http://www.thetechguide.com/forum/index.php?showtopic=25085
I've edited it a bit, can you read it again
You only need to apply the patch, no need to unregister the .dll, if you did you can reregister it

Keep checking windows updates for a fix, at which time you should be able to remove the patch from add/remove programs

TheTechGuide Forum

News:

Author Topic: someone plz help me remove this worm vb.ce (Read 982 times)

birdman

someone plz help me remove this worm vb.ce

guestolo

someone plz help me remove this worm vb.ce

birdman

someone plz help me remove this worm vb.ce

guestolo

someone plz help me remove this worm vb.ce

birdman

someone plz help me remove this worm vb.ce

guestolo

someone plz help me remove this worm vb.ce

birdman

someone plz help me remove this worm vb.ce

guestolo

someone plz help me remove this worm vb.ce

birdman

someone plz help me remove this worm vb.ce

guestolo

someone plz help me remove this worm vb.ce