hijackthis log trojan?

**error1f1f** · 29-07-2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:03:36, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\tools\HiJackThis_v2.exe

O2 - BHO: (no name) - {BC8A9602-4962-4DA2-9599-D7940804AA62} - C:\WINDOWS\system32\ddabc.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\mgclekna.dll",forkonce
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

--
End of file - 3219 bytes

**Neal** · 29-07-2007

Welcome,

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter. Sometimes malware hides from hijackthis.exe.

We need to turn off tea timer for the time being please

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run hijackthis and clcik on scan system only button and put checks next to these:

O2 - BHO: (no name) - {BC8A9602-4962-4DA2-9599-D7940804AA62} - C:\WINDOWS\system32\ddabc.dll

O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\mgclekna.dll",forkonce

These below in purple are optional fixes, if you or an administrative person did not set them you can fix

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll

With all browsers and windows closed except hijackthis, click on "fix checked"

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINDOWS\system32\mgclekna.dll
C:\WINDOWS\system32\ddabc.dll

Reboot normal mode and post the Vundofix log and a new hijackthis log please.

**error1f1f** · 30-07-2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:24:34, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\tools\foolyou.exe.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

--
End of file - 2567 bytes

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 19:27:13 7/29/2007

Listing files found while scanning....

C:\windows\system32\cfkfnbgp.dll
C:\windows\system32\dmpgacjv.dll
C:\windows\system32\ducjlcvl.dll
C:\windows\system32\etxrxhwd.dll
C:\windows\system32\gcgtwljx.dll
C:\windows\system32\hualhxoq.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kjkkj.tmp
C:\windows\system32\lvcljcud.ini
C:\windows\system32\muqbocxt.dll
C:\windows\system32\nlnwvehu.dll
C:\windows\system32\obqsoyxg.dll
C:\windows\system32\pgyohosp.dll
C:\windows\system32\piooxmwl.dll
C:\windows\system32\pqwxhcpm.dll

Beginning removal...

Attempting to delete C:\windows\system32\cfkfnbgp.dll
C:\windows\system32\cfkfnbgp.dll Has been deleted!

Attempting to delete C:\windows\system32\dmpgacjv.dll
C:\windows\system32\dmpgacjv.dll Has been deleted!

Attempting to delete C:\windows\system32\ducjlcvl.dll
C:\windows\system32\ducjlcvl.dll Has been deleted!

Attempting to delete C:\windows\system32\etxrxhwd.dll
C:\windows\system32\etxrxhwd.dll Has been deleted!

Attempting to delete C:\windows\system32\gcgtwljx.dll
C:\windows\system32\gcgtwljx.dll Has been deleted!

Attempting to delete C:\windows\system32\hualhxoq.dll
C:\windows\system32\hualhxoq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kjkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjkkj.tmp
C:\WINDOWS\system32\kjkkj.tmp Has been deleted!

Attempting to delete C:\windows\system32\lvcljcud.ini
C:\windows\system32\lvcljcud.ini Has been deleted!

Attempting to delete C:\windows\system32\muqbocxt.dll
C:\windows\system32\muqbocxt.dll Has been deleted!

Attempting to delete C:\windows\system32\nlnwvehu.dll
C:\windows\system32\nlnwvehu.dll Has been deleted!

Attempting to delete C:\windows\system32\obqsoyxg.dll
C:\windows\system32\obqsoyxg.dll Has been deleted!

Attempting to delete C:\windows\system32\pgyohosp.dll
C:\windows\system32\pgyohosp.dll Has been deleted!

Attempting to delete C:\windows\system32\piooxmwl.dll
C:\windows\system32\piooxmwl.dll Has been deleted!

Attempting to delete C:\windows\system32\pqwxhcpm.dll
C:\windows\system32\pqwxhcpm.dll Has been deleted!

Performing Repairs to the registry.
Done!

**Neal** · 30-07-2007

Clean hijackthis log, how is your computer behaving now?

**error1f1f** · 30-07-2007

a lot better, no more pop ups

thanks for all the help

**Neal** · 30-07-2007

Wonderful news,

Are you happy?

hijackthis log trojan?

hijackthis log trojan?

Similar Threads

Hijackthis log ?trojan(RESOLVED)

Trojan mIRC? w/ hijackthis log

Trojan horse? HijackThis Log included

HijackThis log (I have a trojan running around)

Download.Trojan: Hijackthis Log