PLEASE :) need help thanks!

exiledgolem · 10-16-2007, 09:33 PM

Windows Xp Home edition
Had a vundo I can't get rid of in safe mode with vundofix.exe
spybot lavasoft windows defender and counterspy
havn't used avg yet though

vundofix shows no infection
I know the viruses names are
something like a normal vundo and vundo.generic
getting a ton o popups and fake alerts
w/ icon

+ security toolbar
savethisinformation = another one

tried everything in safemode more then once

LOG --- PLEASE HELP

!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:04 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system\ampsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zoniozlv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jofsearl.dll",sitypnow
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188324079187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Logon (RLPsvc) - Unknown owner - C:\WINDOWS\system\ampsvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://i100.photobucket.com/albums/m...e-goth-grl.jpg

--
End of file - 3981 bytes

peterhuang913 · 10-16-2007, 09:56 PM

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zoniozlv.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jofsearl.dll",sitypnow
Unknown
O23 - Service: Remote Logon (RLPsvc) - Unknown owner - C:\WINDOWS\system\ampsvc.exe

goth girls?

exiledgolem · 10-16-2007, 10:01 PM

just an active icon I had on my desktop
I removed the entries but 2 of them still exist

O23 - Service: Remote Logon (RLPsvc) - Unknown owner - C:\WINDOWS\system\ampsvc.exe
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zoniozlv.dll

after the rescan
should I just run all my antivirus stuff in safe mode again now?
this time hopefully they won't repop...

exiledgolem · 10-17-2007, 10:44 PM

I actually figured it out on my own, go me!
After looking through a couple hijackthis tutorials I
removed my gothgirls service after MUTIPLE Scans of every scanner I had
aka windows defender, lavasoft, spybot, avg, counterspy, and was
finally able to remove the toolbar after removing the goth girls entry...
somehow they were interrelated?
I don't know though...

GG PLEASE CLOSE

Osiris · 10-18-2007, 08:52 AM

so after you removed that everything is now fine?

exiledgolem · 10-18-2007, 10:18 AM

well it seems so, 5 hours of browsing and no redirects,
popups or anything but today after checking my email
via msn got one redirect checked hijackthis and found a new
thing in my log I don't remember being there

O23 - Service: DomainService - - C:\WINDOWS\system32\fasntroe.exe

Osiris · 10-18-2007, 10:25 AM

not sure what that is....

where did you get redirected too?

exiledgolem · 10-18-2007, 10:27 AM

some website that popup
when I tried clicking on the email
button in live msn it poppped the normal
email window but also then popped up that
website

it had it's ip addreesss first then
just showed the windows cannot display it thing..

exiledgolem · 10-18-2007, 10:29 AM

just got another one that popped up now
gfg, my hijackthis log was clear and stuff is getting up

URL
http://67.201.36.14/

Osiris · 10-18-2007, 10:34 AM

run ccleaner and cleanup.

When using ccleaner also make sure to run the reg fix tool

What does msconfig>startup show?

then post a new hijackthis log

Member Login