[02408806]

Could someone help me? everytime i log on Norton Blocks alot of viruses e.g Trojans and Spyware for some reason. also im infected with the Win32 MyzorFk@fy that Norton couldnt block. (i get this trouble shooting icons two of them and it sends me to scamming spyware removal sites).

this is my HJT file:
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Admin\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [nwizwows] C:\WINDOWS\system32\nwizwows.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] rundll32.exe C:\WINDOWS\system32\winsys16_070510.dll start
O4 - HKLM\..\Policies\Explorer\Run: [main] rundll32.exe "C:\program files\internet explorer\use32.dll" mymain
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Security Tools\iesmn.exe
O4 - HKUS\S-1-5-18\..\Run: [9b36em19t7r276w] C:\WINDOWS\TEMP\1explore.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [9b36em19t7r276w] C:\WINDOWS\TEMP\1explore.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://66ad.32666.com
O15 - Trusted Zone: Á÷ýÌå¹ã¸æÍø
O15 - Trusted Zone: http://cfad.32666.com
O15 - Trusted Zone: ÈçºÎ³É¹¦? ³É¹¦×ÉѶ 32666.com
O15 - Trusted Zone: Ãâ·ÑµçÓ° WWW.YCDY.COM ÁíÀàÓéÀÖ Ð¡µçÓ° ÍøÓÑ×ÔÅÄ
O15 - Trusted Zone: Ãâ·ÑµçÓ° WWW.YCDY.COM ÁíÀàÓéÀÖ Ð¡µçÓ° ÍøÓÑ×ÔÅÄ
O15 - Trusted Zone: http://www1.ycdy.com
O15 - ESC Trusted Zone: http://66ad.32666.com
O15 - ESC Trusted Zone: Á÷ýÌå¹ã¸æÍø
O15 - ESC Trusted Zone: http://cfad.32666.com
O15 - ESC Trusted Zone: ÈçºÎ³É¹¦? ³É¹¦×ÉѶ 32666.com
O15 - ESC Trusted Zone: Ãâ·ÑµçÓ° WWW.YCDY.COM ÁíÀàÓéÀÖ Ð¡µçÓ° ÍøÓÑ×ÔÅÄ
O15 - ESC Trusted Zone: Ãâ·ÑµçÓ° WWW.YCDY.COM ÁíÀàÓéÀÖ Ð¡µçÓ° ÍøÓÑ×ÔÅÄ
O15 - ESC Trusted Zone: http://www1.ycdy.com
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E30914E1-078A-4AE8-B572-9FE339701D58}: NameServer = 203.12.160.35 203.12.160.35
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: deboner - {fa4fbf53-c766-4622-8011-a87a805eebf0} - C:\WINDOWS\system32\antzozc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7572 bytes

Any Removal Instructions?

[ECTech]

your log is incomplete. try posting a new one. in the mean time perform these steps,

1) download Ccleaner - CCleaner.com

2) go to start> run > type msconfig> click the startup tab> disable all> reboot

3) reset all the security zones in IE to its defaults.

4) disable system restore

5) download this - |MG| Free Download - AVG Anti-Spyware 7.5.0.50

[Osiris]

You going to post the rest of the log?

[wolfeyes89]

has anyone tried this guy's link? I think hes spamming some spyware related site so i haven't clicked it yet. Anyone wanna play guinea pig?

[kumar_tek]

Hi..
i have been infected wd trojan vundo,clicker,generic4.scm and many others..
Seeing ur blogs i ran vundofix.exe..i also ran combofix..
im posting the hijack log..pls let me know if stil there is any infection..
and if there is,pls help me out..


Logfile of HijackThis v1.99.1
Scan saved at 16:22, on 2007-06-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8208AA50-3BB5-445C-9424-6FCE88CB5743} - C:\WINNT\system32\opnopnk.dll (file missing)
O2 - BHO: (no name) - {B96CC09D-5CEB-416D-B92D-AED1091DC500} - C:\WINNT\system32\gebcd.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINNT\system32\xxfekaly.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172482378228
O17 - HKLM\System\CCS\Services\Tcpip\..\{85F99ED3-F395-4898-B4C8-FC02126BD9FB}: NameServer = 203.192.192.22 203.192.195.18
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

thx fr ur help..
Kumar

[Osiris]

remove these entries


O2 - BHO: (no name) - {8208AA50-3BB5-445C-9424-6FCE88CB5743} - C:\WINNT\system32\opnopnk.dll (file missing)

O2 - BHO: (no name) - {B96CC09D-5CEB-416D-B92D-AED1091DC500} - C:\WINNT\system32\gebcd.dll (file missing)

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINNT\system32\xxfekaly.dll (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{85F99ED3-F395-4898-B4C8-FC02126BD9FB}: NameServer = 203.192.192.22 203.192.195.18



then post a new log