Junior Member
Hi,
I think i have 2 viruses. The first is causing random popups with both FF and IE the usually go to winantiviruspro.com on FF, and cant recall the IE ones, but when you exit the IE ones, another one pops up, only way to stop it seems to end iexplore.exe in task manager.
Nortan Internet Security 2007 keeps finding and deleting Trojan.Vundo. but they it comes back.
The second appeared today, and has an icon at the bottom (yellow triangle with an exclamation mark) when you hover on it, it says 'Security Center Balloon'
Clicking it pops up 'Personal Security Center' there are 4 kind of tab things when you open it these are
Ultimate Fixer (says Install now)
Ultimate Defender (says Install now)
Ultimate Cleaner (says Install now)
Security Monitor (which says On, i think this is that sys tray icon)
The icon periodically pops up balloons saying stuff like 'integrity threats detected' and then a few lines of text. (ahh just popped up. The few lines are
Some system files or hard drive structure may be corrupted. It may lead to crashed, reboots, slowdowns and freezes of operating system.
Click here to...)
HijackThisLog
Just ended scprot4.exe (that seems to be the sys tray one, but dont know how to remove it)Code:Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:11:16, on 29/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SecCenter\scprot4.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Benjamin New\Desktop\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: (no name) - {2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B} - C:\WINDOWS\system32\qomkihi.dll O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing) O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing) O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {91B4DDA9-F6CC-4000-90BC-68CD9E5BF6A5} - C:\WINDOWS\system32\vtutu.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\gqcimibq.dll O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\vtutqpm.dll (file missing) O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [j2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ukwuayns.dll",forkonce O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll" O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ZoiPPE] "C:\Program Files\ZoiPPE\ZoiPPE.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user') O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/ O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200 O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing) O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing) O20 - Winlogon Notify: qomkihi - C:\WINDOWS\SYSTEM32\qomkihi.dll O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe -- End of file - 11706 bytes
One more catch is that my nortan internet security 2007 subscription runs out in 3 days
Kind Regards and thanks in advance
Ben
Senior Member (Canada)
You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items to avoid horrible clutter and/or potential lost backup issues.
It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.
- Create a new folder in your C: Drive.
- Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and
- Move the HijackThis.exe file into the newly created FOLDER.
- Run HJT from there (and revise your shortcut accordingly).
Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Download ComboFix from Here or Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while it’s running. That may cause it to stall
Junior Member
Hijack This Log
VundoFix.txt LogCode:Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:36:06, on 30/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\regsvr32.exe C:\Program Files\SecCenter\scprot4.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HiJackThis\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: (no name) - {2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B} - C:\WINDOWS\system32\qomkihi.dll O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing) O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing) O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {91B4DDA9-F6CC-4000-90BC-68CD9E5BF6A5} - C:\WINDOWS\system32\vtutu.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [j2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll" O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ZoiPPE] "C:\Program Files\ZoiPPE\ZoiPPE.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user') O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/ O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200 O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing) O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing) O20 - Winlogon Notify: qomkihi - C:\WINDOWS\SYSTEM32\qomkihi.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe -- End of file - 11336 bytes
Also a little more info...Code:VundoFix V6.5.7 Checking Java version... Java version is 1.5.0.2 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.8 Old versions of java are exploitable and should be removed. Scan started at 11:07:38 30/08/2007 Listing files found while scanning.... C:\windows\system32\aoptavkv.dll C:\WINDOWS\system32\dfhkj.bak1 C:\WINDOWS\system32\dfhkj.bak2 C:\WINDOWS\system32\dfhkj.ini C:\WINDOWS\system32\dfhkj.ini2 C:\WINDOWS\system32\dfhkj.tmp C:\windows\system32\eiwnwija.dll C:\WINDOWS\system32\eogskjff.dll C:\WINDOWS\system32\gqcimibq.dll C:\windows\system32\hffsvfmd.dll C:\WINDOWS\system32\hrhdobtd.dll C:\WINDOWS\system32\jkhfd.dll C:\WINDOWS\system32\jkkjh.dll C:\windows\system32\jqalbwcl.dll C:\windows\system32\qcctiotu.dll C:\windows\system32\snyauwku.ini C:\WINDOWS\system32\ukwuayns.dll C:\WINDOWS\system32\vtutqpm.dll C:\WINDOWS\system32\vtutu.dll Beginning removal... Attempting to delete C:\windows\system32\aoptavkv.dll C:\windows\system32\aoptavkv.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\dfhkj.bak1 C:\WINDOWS\system32\dfhkj.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\dfhkj.bak2 C:\WINDOWS\system32\dfhkj.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\dfhkj.ini C:\WINDOWS\system32\dfhkj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\dfhkj.ini2 C:\WINDOWS\system32\dfhkj.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\dfhkj.tmp C:\WINDOWS\system32\dfhkj.tmp Has been deleted! Attempting to delete C:\windows\system32\eiwnwija.dll C:\windows\system32\eiwnwija.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\gqcimibq.dll C:\WINDOWS\system32\gqcimibq.dll Has been deleted! Attempting to delete C:\windows\system32\hffsvfmd.dll C:\windows\system32\hffsvfmd.dll Has been deleted! Attempting to delete C:\windows\system32\jqalbwcl.dll C:\windows\system32\jqalbwcl.dll Has been deleted! Attempting to delete C:\windows\system32\qcctiotu.dll C:\windows\system32\qcctiotu.dll Has been deleted! Attempting to delete C:\windows\system32\snyauwku.ini C:\windows\system32\snyauwku.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ukwuayns.dll C:\WINDOWS\system32\ukwuayns.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vtutu.dll C:\WINDOWS\system32\vtutu.dll Could not be deleted. Performing Repairs to the registry. Done! VundoFix V6.5.7 Checking Java version... Java version is 1.5.0.2 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.8 Old versions of java are exploitable and should be removed. Scan started at 11:19:05 30/08/2007 Listing files found while scanning.... C:\WINDOWS\system32\hjkkj.bak1 C:\WINDOWS\system32\hjkkj.ini C:\WINDOWS\system32\jkhfd.dll C:\WINDOWS\system32\jkkjh.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\hjkkj.bak1 C:\WINDOWS\system32\hjkkj.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hjkkj.ini C:\WINDOWS\system32\hjkkj.ini Has been deleted! Performing Repairs to the registry. Done!
After Restarting after the VundoFix thing Nortan popped up and said it had the virus MisLeadApp [edit: another one just popped up, MagicAntiSpy]
Also when the computer starts up a windows pop up comes up saying
RUNDLL (<--thats the title)
Error loading C:\WINDOWS\system32\j2211830.dll
The specified module could not be found
Just going to run that combofix thingy now, will post when it is done
Thanks for your support
Ben
EDIT: ComboFix Logs
Code:ComboFix 07-08-30.3 - "Benjamin" 2007-08-30 11:43:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.486 [GMT 1:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\newdotnet C:\Program Files\newdotnet\readme.txt C:\Program Files\SecCenter C:\Program Files\SecCenter\scprot4.exe C:\WINDOWS\cookies.ini C:\WINDOWS\system32\bbeeg.bak1 C:\WINDOWS\system32\bbeeg.bak2 C:\WINDOWS\system32\bbeeg.ini C:\WINDOWS\system32\bbeeg.ini2 C:\WINDOWS\system32\bbeeg.tmp C:\WINDOWS\system32\byxuspq.dll C:\WINDOWS\system32\Cfx32.lic C:\WINDOWS\system32\cfx32.ocx C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\khfgecb.dll C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\qomkihi.dll C:\WINDOWS\system32\stvwa.bak1 C:\WINDOWS\system32\stvwa.ini C:\WINDOWS\system32\stvwa.ini2 C:\WINDOWS\system32\stvwa.tmp C:\WINDOWS\system32\ututv.bak1 C:\WINDOWS\system32\ututv.bak2 C:\WINDOWS\system32\ututv.ini C:\WINDOWS\system32\vtusnrvb.dll C:\WINDOWS\system32\vtutu.dll C:\WINDOWS\system32\winexy32.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\ybadd.bak1 C:\WINDOWS\system32\ybadd.bak2 C:\WINDOWS\system32\ybadd.ini C:\WINDOWS\system32\ybadd.ini2 C:\WINDOWS\system32\ybadd.tmp I:\Autorun.inf J:\Autorun.inf K:\Autorun.inf ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NPF -------\nm -------\NPF ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 ))))))))))))))))))))))))))))))) 2007-08-30 11:42 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-30 11:07 <DIR> d-------- C:\VundoFix Backups 2007-08-30 11:01 <DIR> d-------- C:\HiJackThis 2007-08-29 16:45 122,880 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ahahslar.dll 2007-08-29 16:45 <DIR> d-------- C:\WINDOWS\system32\ogvhbfee 2007-08-29 16:45 <DIR> d-------- C:\Program Files\Dnonezsy 2007-08-25 16:17 <DIR> d-------- C:\Program Files\MSXML 6.0 2007-08-25 16:11 93,184 --a------ C:\WINDOWS\system32\drvzas.dll 2007-08-10 13:29 <DIR> d-------- C:\Program Files\nmxcvgta 2007-08-06 13:27 <DIR> d-------- C:\Program Files\Driving Test Success 2007-2008 2007-08-06 13:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Driving Test Success 2007-08-03 21:28 <DIR> d-------- C:\TempDVD 2007-08-03 21:27 <DIR> d-------- C:\Program Files\dvdSanta 2007-08-03 11:13 <DIR> d-------- C:\Program Files\GetRight 2007-07-31 17:28 <DIR> d-------- C:\DOCUME~1\BENJAM~1\.zone1511 2007-07-31 17:20 <DIR> d-------- C:\Program Files\ZoiPPE 2007-07-31 00:33 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys 2007-07-30 22:33 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-07-22 10:27 <DIR> d-------- C:\Program Files\Siber Systems 2007-07-13 10:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE 2007-07-08 21:01 <DIR> d-------- C:\Program Files\IMVU 2007-07-08 16:19 <DIR> d-------- C:\Program Files\DIFX 2007-07-08 16:19 <DIR> d-------- C:\Program Files\Common Files\ComponentOne 2007-07-08 16:10 <DIR> d-------- C:\Program Files\Fomine NetSend 2007-07-05 20:55 <DIR> d-------- C:\DOCUME~1\BENJAM~1\APPLIC~1\CoreFTP 2007-07-03 21:18 <DIR> d-------- C:\Program Files\Vextractor Demo 3.80 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-30 11:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-08-29 20:51 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-27 23:42 --------- d-------- C:\DOCUME~1\BENJAM~1\APPLIC~1\uTorrent 2007-08-04 10:39 --------- d-------- C:\Program Files\Cheat Engine 2007-08-03 11:13 --------- d-------- C:\DOCUME~1\BENJAM~1\APPLIC~1\GetRightToGo 2007-07-31 19:53 --------- d-------- C:\DOCUME~1\BENJAM~1\APPLIC~1\LimeWire 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-13 10:38 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-13 10:38 --------- d-------- C:\Program Files\GlobalSCAPE 2007-06-29 22:52 --------- d-------- C:\DOCUME~1\BENJAM~1\APPLIC~1\SmartFTP 2007-06-29 19:51 --------- d-------- C:\Program Files\Scriptocean 2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe 2007-06-03 14:08 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2004-08-04 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll 2004-08-04 12:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll 2004-08-04 12:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll 2004-08-04 12:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll 2004-08-04 12:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA8327F-277A-4112-8615-05CBB1C51C9C}] C:\WINDOWS\system32\jkkjh.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55EDB93B-6FCC-2A25-DA97-095A187E5D18}] 2007-08-29 16:45 122880 --a------ C:\Program Files\Dnonezsy\rlzoyrvd.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CAB10F-77BA-48F8-98BC-09B9F717E840}] C:\WINDOWS\system32\awvts.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BAC7AC8-F276-4202-A83B-BD841314D4CF}] C:\WINDOWS\system32\jkhfd.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 23:39] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45] "srglqnqt"="C:\Program Files\nmxcvgta\pybunslm.dll" [2007-08-10 13:29] "ahahslar"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ahahslar.dll" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-24 17:22] "RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 11:29] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00] "ZoiPPE"="C:\Program Files\ZoiPPE\ZoiPPE.exe" [] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfd] C:\WINDOWS\system32\jkhfd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh] C:\WINDOWS\system32\jkkjh.dll R0 isdnlink;isdnlink;C:\WINDOWS\system32\DRIVERS\linkisdn.sys R0 SLyxFltr;TI StorageLynx Device Alignment Filter;C:\WINDOWS\system32\DRIVERS\SLyxFltr.sys R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys R3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys S3 CEDRIVER52;CEDRIVER52;\??\C:\Program Files\Cheat Engine\dbk32.sys S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys S3 InterServer;InterBase InterClient Server;C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe S3 kqemu;KQEMU virtualisation module for QEMU;C:\WINDOWS\system32\DRIVERS\kqemu.sys S3 PAC207;CamMaestro 3.01 DU PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys S3 wampmysqld;wampmysqld;"C:\Program Files\wamp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\wamp\mysql\my.ini" wampmysqld S3 wanlink;wanlink;C:\WINDOWS\system32\DRIVERS\wanlink.sys *Newly Created Service* - COMHOST Contents of the 'Scheduled Tasks' folder 2007-08-27 22:42:51 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Benjamin.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-30 12:04:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-30 12:08:10 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-30 12:07 --- E O F --- ComboFix-quarantined-files.txtCode:1995-12-22 19:16 432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.LIC.vir 1996-06-10 23:24 307200 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.OCX.vir 2002-03-02 05:10 53299 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir 2003-04-04 15:54 208896 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir 2003-04-04 16:03 57344 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir 2003-04-04 16:07 30336 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir 2006-11-16 11:33 3522 --a--c--- C:\Qoobox\Quarantine\C\Program Files\NewDotNet\readme.txt.vir 2007-02-09 22:25 27 --a------ C:\Qoobox\Quarantine\J\autorun.inf.vir 2007-02-09 23:25 27 --a------ C:\Qoobox\Quarantine\K\autorun.inf.vir 2007-02-19 21:21 30 --a------ C:\Qoobox\Quarantine\I\autorun.inf.vir 2007-06-02 09:28 1093836 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.bak1.vir 2007-06-03 00:13 1095054 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.tmp.vir 2007-06-03 10:33 1095250 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.ini.vir 2007-06-03 11:01 1095526 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.ini2.vir 2007-07-08 21:23 15399 --a------ C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir 2007-07-13 10:22 20992 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winexy32.dll.vir 2007-07-13 10:27 6369 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak1.vir 2007-07-13 20:58 48947 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.tmp.vir 2007-07-13 22:11 52938 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.ini.vir 2007-07-14 19:01 1363574 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak2.vir 2007-07-14 19:27 1364355 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.ini2.vir 2007-07-15 19:27 1364800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.tmp.vir 2007-07-15 23:13 1364800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.ini.vir 2007-07-30 15:49 69184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vtusnrvb.dll.vir 2007-08-01 17:12 1076520 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.bak2.vir 2007-08-01 17:12 1076537 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.bak1.vir 2007-08-01 20:56 1130404 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.ini2.vir 2007-08-25 16:11 43542 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qomkihi.dll.vir 2007-08-25 16:16 298080 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vtutu.dll.vir 2007-08-28 11:56 1006650 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak2.vir 2007-08-29 11:56 1004923 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak1.vir 2007-08-29 12:00 156 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir 2007-08-29 15:24 43542 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\byxuspq.dll.vir 2007-08-29 16:45 262144 --a------ C:\Qoobox\Quarantine\C\Program Files\SecCenter\scprot4.exe.vir 2007-08-30 11:12 1057468 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.ini.vir 2007-08-30 11:44 43542 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\khfgecb.dll.vir 2007-08-30 11:58 1326 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf 2007-08-30 11:58 2354 --a------ C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf 2007-08-30 11:58 352 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf 2007-08-30 11:59 157 --a------ C:\Qoobox\Quarantine\catchme.log 2007-08-30 11:59 23512 --a------ C:\Qoobox\Quarantine\catchme2007-08-30_120432.54.zip 2007-08-30 12:07 816162 --a------ C:\Qoobox\snapshot_2007-08-30_120713.46.cf Folder PATH listing Volume serial number is 7CA0-C620 C:\QOOBOX | snapshot_2007-08-30_120713.46.cf | \---Quarantine | catchme.log | catchme2007-08-30_120432.54.zip | +---C | +---ComboFix | | FProps.vbs.vir | | | +---Program Files | | +---NewDotNet | | | readme.txt.vir | | | | | \---SecCenter | | scprot4.exe.vir | | | \---WINDOWS | | cookies.ini.vir | | | \---system32 | | bbeeg.bak1.vir | | bbeeg.bak2.vir | | bbeeg.ini.vir | | bbeeg.ini2.vir | | bbeeg.tmp.vir | | byxuspq.dll.vir | | CFX32.LIC.vir | | CFX32.OCX.vir | | khfgecb.dll.vir | | packet.dll.vir | | pthreadVC.dll.vir | | qomkihi.dll.vir | | stvwa.bak1.vir | | stvwa.ini.vir | | stvwa.ini2.vir | | stvwa.tmp.vir | | ututv.bak1.vir | | ututv.bak2.vir | | ututv.ini.vir | | vtusnrvb.dll.vir | | vtutu.dll.vir | | winexy32.dll.vir | | wpcap.dll.vir | | ybadd.bak1.vir | | ybadd.bak2.vir | | ybadd.ini.vir | | ybadd.ini2.vir | | ybadd.tmp.vir | | | \---drivers | npf.sys.vir | +---I | autorun.inf.vir | +---J | autorun.inf.vir | +---K | autorun.inf.vir | \---Registry_backups LEGACY_NPF.reg.cf services_nm.reg.cf services_NPF.reg.cf
Last edited by benjamin_harris; 30-08-2007 at 12:14 PM. Reason: added more info
Senior Member (Canada)
Please do not use 'Code Boxes' - it makes it very hard to review and directly address the content listing.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO. This is very important to get an optimal and comprehensive fix. Warning : running option #2 on a non infected computer will remove your Desktop background.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll
O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O4 - HKLM\..\Run: [J2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
Run Vundo again using slightly different instructions:
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once the scan is complete, Right Click inside the listbox (white box) and click add more files
- Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\qomkihi.dll
- C:\WINDOWS\system32\vtutu.dll
- Click Add Files and Click Close Window
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Junior Member
This is the Report log (sorry about the previous code boxes)
SmitFraudFix v2.217
Scan done at 13:08:38.04, 30/08/2007
Run from C:\Documents and Settings\Benjamin New\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Benjamin New
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Benjamin New\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BENJAM~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 62.241.162.200
DNS Server Search Order: 62.241.163.200
Description: D-Link Air DWL-122 Wireless USB Adapter - Packet Scheduler Miniport
DNS Server Search Order: 62.241.162.200
DNS Server Search Order: 62.241.163.200
HKLM\SYSTEM\CCS\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Junior Member
VundoFix Log
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 11:07:38 30/08/2007
Listing files found while scanning....
C:\windows\system32\aoptavkv.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\windows\system32\eiwnwija.dll
C:\WINDOWS\system32\eogskjff.dll
C:\WINDOWS\system32\gqcimibq.dll
C:\windows\system32\hffsvfmd.dll
C:\WINDOWS\system32\hrhdobtd.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll
C:\windows\system32\jqalbwcl.dll
C:\windows\system32\qcctiotu.dll
C:\windows\system32\snyauwku.ini
C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\vtutqpm.dll
C:\WINDOWS\system32\vtutu.dll
Beginning removal...
Attempting to delete C:\windows\system32\aoptavkv.dll
C:\windows\system32\aoptavkv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.tmp Has been deleted!
Attempting to delete C:\windows\system32\eiwnwija.dll
C:\windows\system32\eiwnwija.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gqcimibq.dll
C:\WINDOWS\system32\gqcimibq.dll Has been deleted!
Attempting to delete C:\windows\system32\hffsvfmd.dll
C:\windows\system32\hffsvfmd.dll Has been deleted!
Attempting to delete C:\windows\system32\jqalbwcl.dll
C:\windows\system32\jqalbwcl.dll Has been deleted!
Attempting to delete C:\windows\system32\qcctiotu.dll
C:\windows\system32\qcctiotu.dll Has been deleted!
Attempting to delete C:\windows\system32\snyauwku.ini
C:\windows\system32\snyauwku.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\ukwuayns.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 11:19:05 30/08/2007
Listing files found while scanning....
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 13:16:25 30/08/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Performing Repairs to the registry.
Done!
New HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:29:25, on 30/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserve r.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 9184 bytes
Thanks Very Much, No more errors at startup and I have not had a popup yet (I have had vundo like 3 times, i remove it them it somehow comes back)
Kind Regards
Ben
Last edited by benjamin_harris; 30-08-2007 at 01:32 PM. Reason: added thanks :D
Senior Member (Canada)
HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here
Submit the following file(s) to VirusTotal for their immediate evaluation and feedback. Use any of the following methods, as appropriate:
- Locate FULL FILE PATH if not apparent. Use Start (BUTTON)>Search, [WINDOWS+F] keys, or F3 key (from desktop).
- Copy & Paste the FULL FILE PATH into the input BOX
-- OR --- Navigate to the file in question.
Post those results in your next reply (if malware findings were indicated) for:
C:\Program Files\nmxcvgta\pybunslm.dll
C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
Let us see/review what is loaded on your PC:
- Run HijackThis and Click Open the Misc Tools section button.
- Then click the Open Uninstall Manager… button.
- Click the Save list… button. Save uninstall_list to your desktop.
- Open the Uninstall list file and post in your next reply, please.
Your system has an outdated version(s) of Sun Java that could create serious security exposure issues for your PC.Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Update your Java.
Older JAVA versions have vulnerabilities that malware can and are using to infect systems.
Please follow these steps to remove older version Java components.
- Close any programs you may have running, ESPECIALLY your web browser
- Click Start > Control Panel.
- Click Add/Remove Programs.
- Check any item with Java Runtime Environment (JRE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove all versions of Java.
- Reboot your computer once all Java components are removed.
Download the latest version of Java Runtime Environment (JRE) 6.0 Update 2 or higher, and install it to your computer.
New Version should show as (HijackThis log):
C:\Program Files\Java\jre1.6.0_02\… or higher
Junior Member
C:\Program Files\nmxcvgta\pybunslm.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)
C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)
Installed stuff
$MY_NAME
Acoustica MP3 Audio Mixer
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Advanced Site Submitter 1.0
Age of Empires III
AppCore
Apple Software Update
ArcSoft WebCam Companion
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoHotkey 1.0.46.05
AutoIt v2.64
AutoIt v3.2.2.0
AV
Borland Delphi 7
CamMaestro 3.01 DU PC Camera
ccCommon
Cheat Engine 5.3
CNXT V92 Data Fax Voice
CuteFTP 6 Professional
CuteFTP 8 Professional
DivX
DivX Web Player
Drag Racer v3
Driving Test Success 2007/8
DVD7
dvdSanta 4.00
Empire Earth
Fish Tycoon
Fomine NetSend (remove only)
Free Natural text to speech reader
FreeUndelete
GetRight
GetRight Pro
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Web Accelerator
Guild Wars
Guild Wars Manager
Hex Workshop v4.23
High Definition Audio Driver Package - KB835221
HijackThis 2.0.0
Hits Generator
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
hp psc 900 series
Hutchinson Educational Encyclopedia 2000
InterVideo WinDVD 4
iPod for Windows 2005-01-11
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Java(TM) SE Development Kit 6
KQEMU virtualisation module for QEMU
LimeWire PRO 4.12.6
LiveUpdate 3.2 (Symantec Corporation)
Lizardtech DjVu Control (autoinstall)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia FlashPaper 2
Match-Up!
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Reader Text-to-Speech for English
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
mobile PhoneTools
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (2.0.0.6)
MSRedist
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Perfect Macro Recorder 1.50
Personal License Update Wizard for Windows Media Player
Pinnacle Hollywood FX for Studio
Pinnacle InstantCD/DVD Suite
Pizza Connection 2
QuickTime
Rally Championship Xtreme
RealPlayer
Realtek AC'97 Audio
Rome - Total War(TM)
SBP2 Filter
Screen Movie Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SEGA RALLY 2
SEMC DSS SyncStation Driver
Shockwave
SimCity 3000
Ski Park Manager
Skype 2.5
SPBBC 32bit
SpeechRedist
SpeedFan (remove only)
Studio 9
SymNet
System Requirements Lab
TeamSpeak 2 RC2
tunebite 2.2.0.3
Unreal Tournament 2004
Unreal Tournament G.O.T.Y. Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
USB Dual-mode Camera v200 Installation Files
Video Converter 3
VideoEgg Publisher
V-Rally version 1.0 Installer
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Bonus Pack for Windows XP
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinPcap 3.0
WinRAR archiver
Xfire (remove only)
XviD 1.1 final uninstall
I remved most java, but i got an error when trying to uninstall Java(TM) SE Development Kit 6
Also im not sure which new Java to get.
Thanks Very Much
Ben
Senior Member (Canada)
Download the latest version of Java Runtime Environment (JRE) 6.0 Update 2 or higher, and install it to your computer.Also im not sure which new Java to get.
There is probably no likely useful purpose that you require from those apps. Suggest you fix:C:\Program Files\nmxcvgta\pybunslm.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)
C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)
Read over the following directions. Ask if anything appears unclear to you.
Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner http://www.ccleaner.com/downloadbuilds.asp
Install Options:
- Don't install any Toolbars, or other programs, should it ask you!
- Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Do not run CCleaner until requested later.
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O4 - HKLM\..\Run: [SRGLQNQT] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll"
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Run CCleaner.
FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.
Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.
- Uncheck ”Cookies” option (advisable)
- Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
- Click the ”Analyse” button.
- Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.
***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FILES:
C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
DELETE FOLDERS:
C:\Program Files\nmxcvgta
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
Junior Member
Revised HiJackThis LogOriginally Posted by VopTHis
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:39:55, on 30/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HiJackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserve r.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 8476 bytes
Feedback / Issues
All seems fine, no pop ups recently, and no unwanted rubbish in system tray. There was a problem (which i have had for a while now) which means when you startup, it runs the BIOS, then goes to a black screen for about 3mins, then starts up normally, im not sure if it is still doing this after all this work. I will test and report back.
My C:\ drive is full of lots of files and folders, and i don't think i need them all, can i send you a list of them and you tell me which ones i can delete. (image list at following link, sorry about the large file, 260kb)
http://xe1.biz/FILES/C_Drive_file_list.jpg
Many thanks
Ben
Last edited by benjamin_harris; 30-08-2007 at 04:53 PM.
