|
|
|
Need help wih spyware malar nd r posibly viruses
|
|
|
batmanv1
Newbie
|
8. June 2007 @ 08:00 |
Link to this message
|
Computer Symptoms: Computer Restarts automatically, insane amount of pop-ups, outerinfo, windows encounters errors upon log in, internet explorer constantly freezes and stops responding
It started when smeone tried installing a program i need help removing whatever the problem is.
Here is a logfile from HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 11:12:07 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Don't Touch This\Local Settings\Temp\wz7fff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1163889300812
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1163980362203
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
if anyone can take a look and help me out please i dont think i got much time till my computer is completley finished.
|
|
Advertisement
|
|
|
|
Member
|
8. June 2007 @ 16:56 |
Link to this message
|
Well... bleh. You have quite a bit of malware.
Was this log done in Safe Mode? If it was, then I probably didn't pick up all of it...
Originally posted by HijackThis log:
C:\Documents and Settings\Don't Touch This\Local Settings\Temp\wz7fff\HijackThis.exe
It looks like you're running HijackThis from a temporary folder. Please move it out of the temp folder to its own folder, as the backups are more likely to be deleted if they are in a temp folder. Afterwards, right-click on HijackThis and select "Rename". Rename it to asdf.
Now, I want you to enable the viewing of hidden files. Open the Control Panel and select Folder Options. Click on the "View" tab at the top, and click "Show hidden files and folders". While you're at it, uncheck "Hide extensions for known file types".
Next, go to the following website: http://www.virustotal.com At the top of the page, you will see a button that says "Browse" . Click that button, and paste the following into the box:
C:\WINDOWS\smgr.exe
Click "Open". Then, hit the orange-brownish "Send" button right next to it. You might have to wait a while. When the scan is done, a table will show up looking something like the one below. Ignore the one below that; just select all the text in the table and copy it into your reply.
Originally posted by virustotal.com:
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 no virus found
Authentium 4.93.8 05.23.2007 VBS/CDEject.A
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.01.2007 no virus found
BitDefender 7.2 06.02.2007 no virus found
CAT-QuickHeal 9.00 06.01.2007 no virus found
ClamAV devel-20070416 06.02.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 no virus found
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.02.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 Joke/EjectCD
F-Prot 4.3.2.48 06.01.2007 VBS/CDEject.A
F-Secure 6.70.13030.0 06.01.2007 VBS/CDEject.A
Ikarus T3.1.1.8 06.02.2007 no virus found
Kaspersky 4.0.2.24 06.02.2007 no virus found
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.02.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 no virus found
Panda 9.0.0.4 06.02.2007 no virus found
Prevx1 V2 06.02.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.02.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 no virus found
VBA32 3.12.0 06.01.2007 Trojan.VBS.CDJack.a#1
VirusBuster 4.3.23:9 06.02.2007 Joke.VBS.Cdject.A
Webwasher-Gateway 6.0.1 06.02.2007 no virus found
Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
This is just a precaution. Please download F-Secure BlackLight. Double-click the file to run it. Disconnect from the Internet before you do this - this is important. Accept the license agreement. You will now be presented with a screen that says Step 1 - Scan for hidden items. Click the "Scan" button; be patient. After the scan, if hidden objects are found, a log will open. Post that log in your reply. After the scan is finished, you may reconnect your Internet.
In your reply:
* The VirusTotal report for smgr.exe
* A BlackLight log (if applicable)
* A new HijackThis log (remember to move it out of the temp folder)
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
batmanv1
Newbie
|
8. June 2007 @ 19:01 |
Link to this message
|
Ok sorry i tok so long witthe constant restarts it was almost impossible to scan the computer but here are all the log files:
Blacklight:
06/08/07 22:38:56 [Info]: BlackLight Engine 1.0.61 initialized
06/08/07 22:38:56 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/08/07 22:38:56 [Note]: 7019 4
06/08/07 22:38:56 [Note]: 7005 0
06/08/07 22:38:56 [Note]: 7006 0
06/08/07 22:38:56 [Note]: 7011 1656
06/08/07 22:38:56 [Note]: 7026 0
06/08/07 22:38:56 [Note]: 7026 0
06/08/07 22:38:58 [Note]: FSRAW library version 1.7.1021
06/08/07 22:47:37 [Info]: Hidden file: c:\WINDOWS\system32\windev-60b-4fc6.sys
06/08/07 22:47:37 [Note]: 10002 1
06/08/07 22:47:38 [Info]: Hidden file: c:\WINDOWS\system32\windev-peers.ini
06/08/07 22:47:38 [Note]: 10002 1
06/08/07 22:49:07 [Note]: 7007 0
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 10:03:15 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\DON'TT~1\LOCALS~1\Temp\powerwin.exe
C:\DOCUME~1\DON'TT~1\LOCALS~1\Temp\win64.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\asdf.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\nnnnlig.dll
O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {9109454B-D3DA-D90D-DD0A-FEADDF94289D} - C:\WINDOWS\system32\ddhcj.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ootoyibs.dll
O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gnmdiwkb.dll
O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\qybukewm.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1163889300812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1163980362203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
O20 - Winlogon Notify: nnnnlig - C:\WINDOWS\SYSTEM32\nnnnlig.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
VirusTotal:AhnLab-V3 2007.6.9.0 06.08.2007 Win-Trojan/Alphabet.11776.N
AntiVir 7.4.0.32 06.08.2007 TR/Dldr.Alphabet.11776.16
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.08.2007 no virus found
AVG 7.5.0.467 06.08.2007 Downloader.Generic4.TDP
BitDefender 7.2 06.09.2007 no virus found
CAT-QuickHeal 9.00 06.08.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.09.2007 Trojan.Downloader-8305
DrWeb 4.33 06.09.2007 Trojan.DownLoader.23031
eSafe 7.0.15.0 06.06.2007 Win32.Alphabet.gen
eTrust-Vet 30.7.3703 06.08.2007 Win32/Kastem.R
Ewido 4.0 06.08.2007 Downloader.Alphabet
FileAdvisor 1 06.09.2007 Low threat detected
Fortinet 2.85.0.0 06.09.2007 W32/Alphabet!tr.dldr
F-Prot 4.3.2.48 06.08.2007 W32/Downloader!9a48
F-Secure 6.70.13030.0 06.08.2007 Trojan-Downloader.Win32.Alphabet.gen
Ikarus T3.1.1.8 06.08.2007 Trojan-Downloader.Win32.Alphabet
Kaspersky 4.0.2.24 06.09.2007 Trojan-Downloader.Win32.Alphabet.gen
McAfee 5049 06.08.2007 Generic Downloader
Microsoft 1.2503 06.09.2007 Trojan:Win32/Agent.SS (threat-c)
NOD32v2 2320 06.09.2007 a variant of Win32/TrojanClicker.Agent.NBS
Norman 5.80.02 06.08.2007 W32/DLoader.CVTL
Panda 9.0.0.4 06.09.2007 Adware/DriveCleaner
Prevx1 V2 06.09.2007 Trojan.Nudos
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 VIPRE.Suspicious
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 Trojan-Downloader.Win32.Alphabet.gen
VirusBuster 4.3.23:9 06.08.2007 Trojan.DL.Alphabet.Y
Webwasher-Gateway 6.0.1 06.09.2007 Trojan.Dldr.Alphabet.11776.16
I followed your direcions exact i hope this helps you help me get back to me as soon as possible.
|
Member
|
8. June 2007 @ 20:00 |
Link to this message
|
|
I'll get back to within the next 24 hours as it is almost mifnight here. I'm too tired to possibly atempt to read the logs.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
AfterDawn Addict
1 product review
|
8. June 2007 @ 20:30 |
Link to this message
|
@batmanv1
I am going to watch this thread and pitch in my help when needed. But until then here are a few pointers. One rename Hijack This! to something like Can't be Jacked or Jack What? Something besides HiJack This, as some malware/spyware are programmed to hide from Hijack This and is some cases even to disable it. So renaming it might show more malicious programs in your scans. Also if you are interested here is a site....
http://www.hijackthis.de
Basically you paste your logfile into it and let it scan it and 98% of the time it can tell you what the problems, what entries are bad, why there bad, etc.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08 |
Member
|
9. June 2007 @ 07:09 |
Link to this message
|
@PeaInAPod -
No problem, feel free to pitch in when necessary. Though sometimes I really doubt the effectiveness of HijackThis.de (i.e. once it marked a RedSheriff infection as "Safe"). HijackThis was renamed:
Originally posted by Fredil:
It looks like you're running HijackThis from a temporary folder. Please move it out of the temp folder to its own folder, as the backups are more likely to be deleted if they are in a temp folder. Afterwards, right-click on HijackThis and select "Rename". Rename it to asdf.
@Batmanv1 -
Make sure you do my steps in the order listed, and follow them exactly. Not only will it make my life a lot easier, it is critical to the accuracy of the fix. You don't want me to misinterpret a log because you didn't do it in the proper order, do you? Also, please make sure to read my directions first so you understand what is expected. If you have trouble with a step, skip it and tell me. Constant reboots are not considered "trouble with a step" :)
We're getting there... kinda. Please open HijackThis and do another scan. Place checkmarks besides the following boxes:
ALL O2 entries that say (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\nnnnlig.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {9109454B-D3DA-D90D-DD0A-FEADDF94289D} - C:\WINDOWS\system32\ddhcj.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ootoyibs.dll
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gnmdiwkb.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O20 - Winlogon Notify: nnnnlig - C:\WINDOWS\SYSTEM32\nnnnlig.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
I don't like the look of that log of smgr from VirusTotal. Please reboot your computer into Safe Mode:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
Then, open My Comptuer. Open the C: drive, and open the WINDOWS folder. Press the "s" key on your keyboard (this will make your life a bit easier) and search for "smgr.exe". Click on it. Then, hold down the "Shift" key and press the "Delete" button on your keyboard (not "Backspace"). It will give you a confirmation; press "Yes". You can now reboot back into Normal Mode.
Can you run VundoFix again? It will take about five minutes, and the log should be saved to C:\VundoFix.txt. Post that log in your reply.
Please run F-Secure BlackLight again (remember to disconnect your Internet and reconnect it afterwards - disconnect it physically). Double-click on fsbl.exe and do another scan. When the scan is finished, click "Next". You should be presented with a screen similar to this one (the items will vary, obviously):
Click on windev-60b-4fc6.sys to highlight it; then, click "Rename". The action will be changed from "None" to "Rename". Next, do the same thing with windev-peers.ini.
Do Not Do Anything Else With BlackLight Unless Asked!
You should now press the "Next" button. A warning screen will now show stating that renaming legitimate files can cause Windows not to operate properly, yada yada yada. Put a checkmark in the checkbox labeled "I have understood the warning and wish to continue" and then press the OK button. You should then press the Restart Now, and then the OK button again. If BlackLight doesn't restart your computer, do it manually.
Next, I want you to make a return trip to http://www.virustotal.com. Click "Browse", and paste the following in the box:
c:\WINDOWS\system32\windev-60b-4fc6.sys.ren
Wait for the scan to finish, and post the table back here, just like last time. Then, do another scan with the following:
c:\WINDOWS\system32\windev-peers.ini.ren
You also mentioned OuterInfo. To verify and remove that, I will need a HijackThis Uninstall Log:
* Open HijackThis. Click "Open the Misc. Tools Section".
* Click the "Misc Tools" tab at the top.
* Click on "Open Uninstall Manager".
* Hit "Save List". Save it to where you saved HijackThis. The list is called "uninstall_list.txt".
* Post that list in a reply.
In your reply:
* VundoFix.txt logfile
* A new BlackLight log
* VirusTotal's log for c:\WINDOWS\system32\windev-60b-4fc6.sys
* VirusTotal's log for c:\WINDOWS\system32\windev-peers.ini.ren
* An Uninstall List from HijackThis
* Last but not least, a new HijackThis logfile
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
batmanv1
Newbie
|
9. June 2007 @ 10:31 |
Link to this message
|
VundoFix Logfile:
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 1:11:17 PM 6/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\jjlxbeyw.ini
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\khfdeed.dll
C:\WINDOWS\system32\snyhcvww.dll
C:\WINDOWS\system32\wyebxljj.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjlxbeyw.ini
C:\WINDOWS\system32\jjlxbeyw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jkhhi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\khfdeed.dll
C:\WINDOWS\system32\khfdeed.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\snyhcvww.dll
C:\WINDOWS\system32\snyhcvww.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wyebxljj.dll
C:\WINDOWS\system32\wyebxljj.dll Has been deleted!
Performing Repairs to the registry.
Done!
Blacklight Log:
06/09/07 13:46:39 [Info]: BlackLight Engine 1.0.61 initialized
06/09/07 13:46:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/09/07 13:46:39 [Note]: 7019 4
06/09/07 13:46:39 [Note]: 7005 0
06/09/07 13:47:19 [Note]: 7006 0
06/09/07 13:47:19 [Note]: 7011 1780
06/09/07 13:47:19 [Note]: 7026 0
06/09/07 13:47:19 [Note]: 7026 0
06/09/07 13:47:21 [Note]: FSRAW library version 1.7.1021
06/09/07 13:55:23 [Info]: Hidden file: c:\WINDOWS\system32\windev-60b-4fc6.sys
06/09/07 13:55:23 [Note]: 10002 1
06/09/07 13:55:23 [Info]: Hidden file: c:\WINDOWS\system32\windev-peers.ini
06/09/07 13:55:23 [Note]: 10002 1
06/09/07 14:03:55 [Note]: 7007 0
VirusTotal's log for c:\WINDOWS\system32\windev-60b-4fc6.sys:
AhnLab-V3 2007.6.9.0 06.08.2007 Win-Trojan/Tibs.153728
AntiVir 7.4.0.32 06.09.2007 TR/PCK.Tibs.AB
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.09.2007 no virus found
BitDefender 7.2 06.09.2007 Trojan.Peed.HUJ
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 06.09.2007 no virus found
DrWeb 4.33 06.09.2007 Trojan.Spambot
eSafe 7.0.15.0 06.06.2007 Win32.Tibs.ab
eTrust-Vet 30.7.3707 06.09.2007 Win32/Tibs
Ewido 4.0 06.09.2007 Trojan.Tibs.ab
FileAdvisor 1 06.09.2007 No threat detected
Fortinet 2.85.0.0 06.09.2007 PossibleThreat
F-Prot 4.3.2.48 06.08.2007 W32/Dropper.gen6
F-Secure 6.70.13030.0 06.08.2007 Packed.Win32.Tibs.ab
Ikarus T3.1.1.8 06.09.2007 Packed.Win32.Tibs.ab
Kaspersky 4.0.2.24 06.09.2007 Packed.Win32.Tibs.ab
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.09.2007 TrojanDownloader:Win32/TIBS (threat-c)
NOD32v2 2320 06.09.2007 Win32/Fuclip.AK
Norman 5.80.02 06.08.2007 W32/Tibs.AKAI
Panda 9.0.0.4 06.09.2007 Adware/Adsmart
Prevx1 V2 06.09.2007 Covert.Code
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 no virus found
VirusBuster 4.3.23:9 06.09.2007 no virus found
Webwasher-Gateway 6.0.1 06.09.2007 Trojan.PCK.Tibs.AB
VirusTotal's log for c:\WINDOWS\system32\windev-peers.ini.ren:
AhnLab-V3 2007.6.9.0 06.08.2007 no virus found
AntiVir 7.4.0.32 06.09.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.09.2007 no virus found
BitDefender 7.2 06.09.2007 no virus found
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 06.09.2007 no virus found
DrWeb 4.33 06.09.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
Ewido 4.0 06.09.2007 no virus found
FileAdvisor 1 06.09.2007 no virus found
Fortinet 2.85.0.0 06.09.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.08.2007 no virus found
Ikarus T3.1.1.8 06.09.2007 no virus found
Kaspersky 4.0.2.24 06.09.2007 no virus found
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.09.2007 no virus found
NOD32v2 2320 06.09.2007 no virus found
Norman 5.80.02 06.08.2007 no virus found
Panda 9.0.0.4 06.09.2007 no virus found
Prevx1 V2 06.09.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 no virus found
VirusBuster 4.3.23:9 06.09.2007 no virus found
Webwasher-Gateway 6.0.1 06.09.2007 no virus found
HiJackThis Uninstall Log:
Ad-Aware 2007
Adobe Bridge 1.0
Adobe Help Center 1.0
Adobe Reader 7.0
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AIM 6
Apple Software Update
ATI Control Panel
ATI Display Driver
Auto Macro Recorder V4.8 Trial Version
AV Music Morpher Gold
BitPim 0.9.12
Build Your Own Net Dream (remove only)
CCleaner (remove only)
Corel Painter X
DivX
DivX Player
DivX Web Player
Easy Internet Sign-up
Fbrowse 2.0
Game Console - WildGames
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Tunes
ImageSlicer
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
IrfanView (remove only)
iTunes
Java(TM) SE Runtime Environment 6 Update 1
Jets 'N' Guns GOLD
LimeWire PRO 4.12.6
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Move Networks Player for Internet Explorer
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
muvee autoProducer 4.0
muvee autoProducer unPlugged 1.1 - HPD
Nanny Mania
Notepad++
Office 2003 Tour
Outerinfo
Panda ActiveScan
Perfect Macro Recorder 1.50
Photo Pos Pro
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2005
QuickTime
RealPlayer
Registry Mechanic 6.0
Replay Media Catcher
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy 1.4
The Hot Mix - Basic
Total Video Converter 3.02
TweakMASTER
Ulead PhotoImpact 12
UltraMixer 2.0.10.1
Unreal Tournament 2004 Demo
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Video Convert Master Trial Version (English) 7.9.0.4
Viewpoint Media Player
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Toolbar
Zune
HiJackThis Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 2:30:26 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\smgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\asdf.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\khfdeed.dll (file missing)
O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll
O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\wyebxljj.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1163889300812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1163980362203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
----K i followed your directions exact here are the logfiles.
|
|
batmanv1
Newbie
|
9. June 2007 @ 10:37 |
Link to this message
|
|
o sorry here is an addition to VundoFix logfile:
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 1:24:58 PM 6/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\khfdeed.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jkhhi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfdeed.dll
C:\WINDOWS\system32\khfdeed.dll Has been deleted!
Performing Repairs to the registry.
Done!
|
Member
|
12. June 2007 @ 16:18 |
Link to this message
|
|
Terribly sorry about the delay; can you give me just one more day?
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
batmanv1
Newbie
|
13. June 2007 @ 04:34 |
Link to this message
|
|
It ok take your time the problem seems to be gettin better already thanks to your help so go ahead take all the time you need just let me know when your ready
|
Member
|
14. June 2007 @ 11:37 |
Link to this message
|
Ooookay... sorry about that.
Since it's been a while: can you post a fresh HijackThis log to refresh my memory and give me a more recent view of your computer.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
batmanv1
Newbie
|
16. June 2007 @ 04:53 |
Link to this message
|
Really sorry about the wait but the last couple of days were crazy for me but here you go
Logfile of HijackThis v1.99.1
Scan saved at 8:51:50 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\smgr.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis\asdf.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - (no file)
O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll
O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1163889300812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1163980362203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
|
Member
|
16. June 2007 @ 13:42 |
Link to this message
|
Still gotta do these (some of them may not be there since you ran VundoFix):
Quote:
ALL O2 entries that say (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\nnnnlig.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {9109454B-D3DA-D90D-DD0A-FEADDF94289D} - C:\WINDOWS\system32\ddhcj.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ootoyibs.dll
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gnmdiwkb.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O20 - Winlogon Notify: nnnnlig - C:\WINDOWS\SYSTEM32\nnnnlig.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
Next, I just want to see what we're dealing with with winrvc32. Please go to http://www.virustotal.com and click the big "Browse" button at the top. In the box that appears, paste the following:
C:\WINDOWS\SYSTEM32\winrvc32.dll
Then, hit "Open". At the top of the page there will be a button that says "Send". Click that. Since this is a high-demand service, you will most likely be queued. After that, VirusTotal will scan your file using 32 virus engines, so be patient.
Please open the Command Prompt by opening the Start Menu, clicking on Run, and typing cmd. Press enter, and the Control Panel should open. Type "path" (without the quotes) and press Enter. Your window should look something like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\xxxx>path
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Qu
ickTime\QTSystem\
C:\Documents and Settings\xxxx>
(xxxx is my name) Now, right-click anywhere in the window and press "Select All". When it is selected, press the Enter key to copy that to the clipboard. Paste that into a Notepad document (save it if you don't feel like doing it again), and when you feel like replying, paste that into your reply.
Finally, open up VundoFix again. In the white box that takes up most of the window, right-click and press "Add more files?" In the boxes that appear, put the following paths (there are 2 paths):
C:\WINDOWS\system32\jykbhh.dll
C:\WINDOWS\system32\wuufkiei.dll
Then, press "OK" and do another scan with VundoFix.
In your reply:
* A new HijackThis log
* VirusTotal log
* VundoFix log
* The thing that appeared when you did the path command in cmd
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
batmanv1
Newbie
|
16. June 2007 @ 15:39 |
Link to this message
|
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:28 PM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\smgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe
C:\HijackThis\asdf.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - (no file)
O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll (file missing)
O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll (file missing)
O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1163889300812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1163980362203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
VirusTotal:
Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Dialer.18944.N
AntiVir 7.4.0.32 06.16.2007 TR/Crypt.PEC2X.Gen
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.16.2007 no virus found
AVG 7.5.0.467 06.16.2007 Dialer.FHC
BitDefender 7.2 06.16.2007 Trojan.Downloader.Agent.BGY
CAT-QuickHeal 9.00 06.16.2007 Trojan.Dialer.qn
ClamAV None 06.16.2007 no virus found
DrWeb 4.33 06.16.2007 Trojan.Mezzia
eSafe 7.0.15.0 06.14.2007 Win32.Dialer.qn
eTrust-Vet 30.7.3721 06.15.2007 Win32/Nebuler.BI
Ewido 4.0 06.16.2007 Trojan.Dialer.qn
FileAdvisor 1 06.17.2007 Not analyzed yet
Fortinet 2.85.0.0 06.16.2007 W32/Nebule.QN!tr
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 W32/Dialer.dam
Ikarus T3.1.1.8 06.16.2007 Trojan.Win32.Agent.qt
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Dialer.qn
McAfee 5054 06.15.2007 potentially unwanted program Dialer-Generic
Microsoft 1.2607 06.16.2007 no virus found
Norman 5.80.02 06.15.2007 W32/Dialer.dam
Panda 9.0.0.4 06.16.2007 Dialer.KHJ
Prevx1 V2 06.17.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 Trojan.Nebuler
Symantec 10 06.17.2007 Trojan.Nebuler
TheHacker 6.1.6.133 06.15.2007 Trojan/Dialer.qn
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Dialer.qn
VirusBuster 4.3.23:9 06.16.2007 no virus found
Webwasher-Gateway 6.0.1 06.16.2007 no virus found
VundoFix:
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 7:15:58 PM 6/16/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jykbhh.dll
C:\WINDOWS\system32\jykbhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wuufkiei.dll
C:\WINDOWS\system32\wuufkiei.dll Has been deleted!
Performing Repairs to the registry.
Done!
CMD:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Don't Touch This>path
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Prog
ram Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
C:\Documents and Settings\Don't Touch This>
|
|
batmanv1
Newbie
|
19. June 2007 @ 04:08 |
Link to this message
|
|
.
|
Member
|
19. June 2007 @ 05:42 |
Link to this message
|
|
Blargh. I'll get back to you in a few seconds, I gotta eat breakfast first.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Member
|
16. July 2007 @ 16:45 |
Link to this message
|
I'm sorry about the horribly late reply.
Do you still need help? If so, post another HijackThis log.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Advertisement
|
|
|
|
Auttaja
Suspended permanently
|
16. July 2007 @ 23:33 |
Link to this message
|
Just couple hint:
http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
(See that O4 - HKLM\..\Run: [smgr] mgrs.exe)
=========
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
randomly named malware
========
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
trojan downloader
==========
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
Part of vundo family (maybe addfiles on vundofix or combofix)
|
|
