Virus.. please help
-
Virus.. please help
Hello!
I have a virus, or threat or spyware or something... I installed AVG 7.5 but I the internet has stopped working so I can't get the updates. AVG has found 55 threats and has deleted most of them, but I still can't connect to the internet and I get the following two messages at start up:
Rundll
Error loading C:\Program Files\zyxehkju\hqpolgfq.dll
The specified module could not be found.
RefSvr32
LoadLibrary(“C:\Documents and Settings\All Users\Application Data\kfabcvir.dll”) failed – The specified module could not be found.
I have also run CC Cleaner since. I tried to Install Spybot but I get the following message:
File Download
Error sending request.
The server or address could not be resolved
my highjackthis log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:35:00, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\?ppPatch\??chost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier .exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
E:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [edgncrgn] rundll32.exe "C:\Program Files\zyxehkju\hqpolgfq.dll",Init
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [Idee] "C:\WINDOWS\system32\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Dbdxzh] "C:\Program Files\Common Files\?ppPatch\??chost.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196565359953
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
--
End of file - 6231 bytes
Thank you very much!
-
You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items to avoid horrible clutter and/or potential lost backup issues.
It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.- Create a new folder in your C: Drive.
- Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and
- Move the HijackThis.exe file into the newly created FOLDER.
- Run HJT from there (and revise your shortcut accordingly).
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe
O4 - HKLM\..\Run: [EDGNCRGN] rundll32.exe "C:\Program Files\zyxehkju\hqpolgfq.dll",Init
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
Download ComboFix from Here or Here to your Desktop.- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a new HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-
Hello!
thank you for your reply.
I have done as you said. Another problem appeared now. I get the following message constantly (box appears every 10 seconds):
RUNDLL
Error Loading
The specified module could not be found
is there anyway I can stop this?
here are my logs:
ComboFix:
ComboFix 07-12-21.4 - Aphroditi 2007-12-24 11:37:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT 0:00]
Running from: C:\Documents and Settings\Aphroditi\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Aphroditi\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Aphroditi\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Aphroditi\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Liam\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Liam\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Liam\Desktop\Go to Casino.lnk
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\pppatc~1\??chost.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Helper
C:\Program Files\Helper\Helper8.dll
C:\Program Files\Helper\superfindout.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\SecCenter
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\lsass.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\juvprpba
C:\WINDOWS\system32\juvprpba\bg1.gif
C:\WINDOWS\system32\juvprpba\bgtop.gif
C:\WINDOWS\system32\juvprpba\bottom1.gif
C:\WINDOWS\system32\juvprpba\essentials.gif
C:\WINDOWS\system32\juvprpba\icon1.ico
C:\WINDOWS\system32\juvprpba\install1.gif
C:\WINDOWS\system32\juvprpba\juvprpba1.exe
C:\WINDOWS\system32\juvprpba\juvprpba2.exe
C:\WINDOWS\system32\juvprpba\juvprpba3.exe
C:\WINDOWS\system32\juvprpba\left1.gif
C:\WINDOWS\system32\juvprpba\li.gif
C:\WINDOWS\system32\juvprpba\logo.gif
C:\WINDOWS\system32\juvprpba\main.htm
C:\WINDOWS\system32\juvprpba\mainframe.htm
C:\WINDOWS\system32\juvprpba\reinstall1.gif
C:\WINDOWS\system32\juvprpba\right1.gif
C:\WINDOWS\system32\juvprpba\s1.htm
C:\WINDOWS\system32\juvprpba\s2.htm
C:\WINDOWS\system32\juvprpba\s3.htm
C:\WINDOWS\system32\juvprpba\SMTop1.gif
C:\WINDOWS\system32\juvprpba\SMTop2.gif
C:\WINDOWS\system32\juvprpba\SMTop3.gif
C:\WINDOWS\system32\juvprpba\SMTop4.gif
C:\WINDOWS\system32\juvprpba\soft1_off.gif
C:\WINDOWS\system32\juvprpba\soft1_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft1_on.gif
C:\WINDOWS\system32\juvprpba\soft1_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_off.gif
C:\WINDOWS\system32\juvprpba\soft2_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_on.gif
C:\WINDOWS\system32\juvprpba\soft2_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_off.gif
C:\WINDOWS\system32\juvprpba\soft3_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_on.gif
C:\WINDOWS\system32\juvprpba\soft3_on_ext.gif
C:\WINDOWS\system32\juvprpba\softbottom_off.gif
C:\WINDOWS\system32\juvprpba\softbottom_on.gif
C:\WINDOWS\system32\juvprpba\softleft_off.gif
C:\WINDOWS\system32\juvprpba\softleft_on.gif
C:\WINDOWS\system32\juvprpba\top1.gif
C:\WINDOWS\system32\juvprpba\top2.gif
C:\WINDOWS\system32\juvprpba\turnoff1.gif
C:\WINDOWS\system32\juvprpba\turnon1.gif
C:\WINDOWS\system32\nncf.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\smbols~1\s?mbols\
C:\WINDOWS\system32\smbols~1\userinit .exe
C:\WINDOWS\system32\winopn32.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\xpdx.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\xpdx
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.
2007-12-24 11:41 . 2007-12-24 11:41 319 --ahs---- C:\WINDOWS\system32\ihkmp.ini2
2007-12-24 11:41 . 2007-12-24 11:41 319 --ahs---- C:\WINDOWS\system32\ihkmp.ini
2007-12-24 11:26 . 2007-12-24 11:36 <DIR> d-------- C:\HJT
2007-12-24 10:38 . 2007-12-24 10:38 337,920 --a------ C:\WINDOWS\system32\RCX5B.tmp
2007-12-24 10:38 . 2007-12-24 10:38 268 --ah----- C:\sqmdata05.sqm
2007-12-24 10:38 . 2007-12-24 10:38 244 --ah----- C:\sqmnoopt05.sqm
2007-12-23 20:36 . 2007-12-23 20:36 <DIR> d-------- C:\Program Files\Canon
2007-12-23 18:46 . 2007-12-23 18:46 248 --a------ C:\WINDOWS\RomeTW.ini
2007-12-23 18:32 . 2007-12-23 18:32 <DIR> d-------- C:\Program Files\Activision
2007-12-23 18:31 . 2007-12-23 18:31 268 --ah----- C:\sqmdata04.sqm
2007-12-23 18:31 . 2007-12-23 18:31 244 --ah----- C:\sqmnoopt04.sqm
2007-12-23 18:30 . 2007-12-23 18:30 337,920 --a------ C:\WINDOWS\system32\RCX57.tmp
2007-12-23 18:06 . 2007-12-23 18:06 268 --ah----- C:\sqmdata03.sqm
2007-12-23 18:06 . 2007-12-23 18:06 244 --ah----- C:\sqmnoopt03.sqm
2007-12-23 17:21 . 2007-12-23 17:21 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-23 17:21 . 2007-12-23 17:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-23 16:38 . 2007-12-23 16:38 268 --ah----- C:\sqmdata02.sqm
2007-12-23 16:38 . 2007-12-23 16:38 244 --ah----- C:\sqmnoopt02.sqm
2007-12-23 12:34 . 2007-12-23 12:34 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-23 12:33 . 2007-12-24 10:38 <DIR> d-------- C:\Documents and Settings\Aphroditi\Application Data\AVG7
2007-12-23 12:32 . 2007-12-23 12:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-23 12:32 . 2007-12-23 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 12:32 . 2007-12-23 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-23 12:32 . 2007-12-23 12:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-23 12:31 . 2007-12-23 12:31 337,920 --a------ C:\WINDOWS\system32\RCX4D.tmp
2007-12-23 12:31 . 2007-12-23 16:40 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-23 12:22 . 2007-12-23 12:14 32,981,120 --------- C:\Documents and Settings\Aphroditi\avg75free_516a1225.exe
2007-12-23 12:08 . 2007-12-23 12:08 268 --ah----- C:\sqmdata01.sqm
2007-12-23 12:07 . 2007-12-23 12:07 244 --ah----- C:\sqmnoopt01.sqm
2007-12-23 11:59 . 2007-12-23 11:59 337,920 --a------ C:\WINDOWS\system32\RCX50.tmp
2007-12-23 11:59 . 2007-12-23 12:36 26,624 --a------ C:\WINDOWS\lsass .exe
2007-12-22 11:56 . 2007-12-22 11:56 26,624 -r-hs---- C:\Program Files\lsass.exe
2007-12-22 11:55 . 2007-12-22 11:55 1 --a------ C:\WINDOWS\system32\rc.dat
2007-12-22 11:55 . 2007-12-22 11:55 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-12-22 11:55 . 2007-12-22 11:55 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-12-22 11:53 . 2007-12-22 11:53 <DIR> d-------- C:\Documents and Settings\Liam\Application Data\ATI
2007-12-22 11:19 . 2007-12-24 11:37 337,920 --a------ C:\WINDOWS\system32\pmkhi.exe
2007-12-22 11:16 . 2007-12-22 11:16 268 --ah----- C:\sqmdata00.sqm
2007-12-22 11:16 . 2007-12-22 11:16 244 --ah----- C:\sqmnoopt00.sqm
2007-12-13 20:34 . 2007-12-23 12:48 <DIR> d-------- C:\Program Files\zyxehkju
2007-12-13 20:34 . 2007-12-23 12:38 <DIR> d-------- C:\Program Files\Jxmiknmu
2007-12-13 20:34 . 2007-12-13 20:34 2 --a------ C:\609099310
2007-12-12 00:39 . 2007-12-24 11:37 <DIR> d-------- C:\Program Files\QuickTime
2007-12-12 00:39 . 2007-12-24 11:37 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 00:39 . 2007-12-12 00:39 <DIR> d-------- C:\Program Files\iPod
2007-12-12 00:39 . 2007-12-12 00:39 <DIR> d-------- C:\Documents and Settings\Aphroditi\Application Data\Apple Computer
2007-12-12 00:39 . 2007-12-24 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 00:39 . 2007-12-12 00:40 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 00:38 . 2007-12-12 00:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-12 00:38 . 2007-12-12 00:38 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-12 00:38 . 2007-12-12 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-12 00:38 . 2007-12-12 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-12 00:13 . 2007-12-12 00:13 <DIR> d-------- C:\Documents and Settings\Aphroditi\Movies
2007-12-03 22:23 . 2007-12-03 22:23 <DIR> d-------- C:\Documents and Settings\Liam\Movies etc
2007-12-02 23:44 . 2007-12-02 23:44 <DIR> d-------- C:\WINDOWS\Sun
2007-12-02 23:43 . 2007-12-02 23:43 <DIR> d-------- C:\Program Files\Java
2007-12-02 23:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 23:41 . 2007-12-02 23:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 23:41 . 2007-12-02 23:44 659 --a------ C:\WINDOWS\mozver.dat
2007-12-02 22:58 . 2005-05-02 16:00 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2007-12-02 22:53 . 2007-12-02 22:53 <DIR> d-------- C:\Documents and Settings\Aphroditi\Application Data\Media Player Classic
2007-12-02 22:52 . 2007-12-02 22:52 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-02 22:43 . 2007-12-02 22:43 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-02 22:37 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-02 22:37 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-02 22:37 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-02 16:59 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-02 03:50 . 2007-12-02 03:50 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-02 03:50 . 2007-12-02 03:50 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-02 03:50 . 2007-12-02 03:50 <DIR> d-------- C:\Documents and Settings\Aphroditi\Contacts
2007-12-02 03:49 . 2007-12-12 00:38 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-02 03:46 . 2007-12-02 03:49 <DIR> d-------- C:\Program Files\Windows Live
2007-12-02 03:46 . 2007-12-02 03:49 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-02 03:46 . 2007-12-02 03:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-02 03:42 . 2007-12-02 03:42 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Applicati on Data\ATI
2007-12-02 03:16 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-02 03:16 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-02 03:16 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-02 03:16 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-02 03:16 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-02 03:15 . 2007-12-02 03:15 <DIR> d--hs---- C:\Documents and Settings\Aphroditi\UserData
2007-12-02 03:13 . 2007-12-02 03:13 <DIR> d-------- C:\Program Files\Google
2007-12-02 03:13 . 2007-12-02 03:13 759 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-02 03:11 . 2007-12-12 00:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-02 03:10 . 2007-12-02 03:10 <DIR> d-------- C:\Documents and Settings\Aphroditi\Application Data\ATI
2007-12-02 03:01 . 2007-12-02 03:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-02 03:01 . 2007-12-02 03:01 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-02 03:01 . 2007-12-02 03:01 <DIR> d-------- C:\Program Files\MSBuild
2007-12-02 03:01 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-02 03:00 . 2007-12-02 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-02 02:43 . 2007-12-02 03:07 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-02 02:43 . 2006-12-20 21:05 520,192 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-02 02:19 . 2007-12-02 02:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-01 23:40 . 2007-12-01 23:40 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-12-01 23:40 . 2007-12-01 23:40 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2007-12-01 23:40 . 2007-12-01 23:40 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2007-12-01 23:32 . 2003-10-03 16:28 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-12-01 23:32 . 2005-06-07 01:51 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-12-01 23:32 . 2005-01-06 02:02 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2007-12-01 23:30 . 2007-12-02 22:58 <DIR> d-------- C:\Program Files\Realtek
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-01 19:33 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}]
C:\Program Files\Jxmiknmu\mrcxejss.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1867AC5-8518-4933-B1C6-B424F7652E99}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-12-24 11:37]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr .exe" [2007-12-24 11:41]
"Idee"="C:\WINDOWS\system32\SMBOLS~1\userinit. exe" []
"Dbdxzh"="C:\Program Files\Common Files\?ppPatch\??chost.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\Win XPDisableZeroConfigation.exe" [2007-12-24 11:41]
"SkyTel"="SkyTel.EXE" [2006-05-15 19:04 C:\WINDOWS\SkyTel.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2007-12-24 11:41]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-11 17:58 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-24 11:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2007-12-24 11:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-24 11:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 11:41]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-23 16:50]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjjgd]
mljjjgd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\pmkhi
.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 00:38:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 11:18:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 11:41:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\pmkhi.dll
.
Completion time: 2007-12-24 11:42:23 - machine was rebooted
.
2007-12-12 01:14:48 --- E O F ---
and the hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:43, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\PROGRA~1\Grisoft\AVG7\avgcc .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Jxmiknmu\mrcxejss.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Module - {C1867AC5-8518-4933-B1C6-B424F7652E99} - sbufke.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [Idee] "C:\WINDOWS\system32\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Dbdxzh] "C:\Program Files\Common Files\?ppPatch\??chost.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196565359953
O20 - Winlogon Notify: mljjjgd - mljjjgd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
--
End of file - 7003 bytes
-
I have now restarted and the RUNDLL message has not appeared again.
internet is still not working though and Firefox does not load.
-
You acquired an info stealing TROJAN - extreme caution may be advisable (including a potential clean install):
http://www.castlecops.com/modules.ph...6-B424F7652E99
Read over the following directions. Ask if anything appears unclear to you.
If you cannot easily run the suggested CCleaner program (below), initially run the 'Cleanmgr' that comes with Windows:
Start>Run>CLEANMGR (Enter key)
Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner http://www.ccleaner.com/downloadbuilds.asp
Install Options: - Don't install any Toolbars, or other programs, should it ask you!
- Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Do not run CCleaner until requested later.
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Jxmiknmu\mrcxejss.dll (file missing)
O2 - BHO: Google Module - {C1867AC5-8518-4933-B1C6-B424F7652E99} - sbufke.dll (file missing)
O4 - HKCU\..\Run: [Idee] "C:\WINDOWS\system32\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Dbdxzh] "C:\Program Files\Common Files\?ppPatch\??chost.exe"
O20 - Winlogon Notify: mljjjgd - mljjjgd.dll (file missing)
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Run CCleaner.
FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.
Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.- Uncheck ”Cookies” option (advisable)
- Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
- Click the ”Analyse” button.
- Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.
***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FILES:
C:\WINDOWS\lsass.exe
C:\Program Files\lsass.exe
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\pmkhi.exe
C:\Program Files\zyxehkju
C:\Program Files\Jxmiknmu
C:\609099310
*.TMP (use exact text search string)
*.SQM (MSN clutter)
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
In particular, let us know if you are seeing any frequent POPUPS. In that case run the following:
Please download VundoFix.exe to your desktop.- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
-
Hello,
sorry, I've been away. I have now done the above.
I could not find the following in Highjackthis:
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Jxmiknmu\mrcxejss.dll (file missing)
O2 - BHO: Google Module - {C1867AC5-8518-4933-B1C6-B424F7652E99} - sbufke.dll (file missing)
O20 - Winlogon Notify: mljjjgd - mljjjgd.dll (file missing)
when I re booted i got the following two messages:
1. Windows could not find "C:\Windows\system32\pmkhi.exe". Make sure you typed the name correctly and then try again. To search for a file click start button and then click Search.
2. Could not Load or run "C:\Windows\system32\pmkhi.exe" specified in the registry. Make sure the file exists on the computer or remove the reference to it in the registry.
Apart from that, the internet is not working still. I know there is nothing wrong with the wireless card because I also run linux from the same computer and I have no problem with the internet there.
Find the new highjackthis log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:55:31, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\PROGRA~1\Grisoft\AVG7\avgcc .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroC onfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196565359953
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
--
End of file - 5949 bytes
Thank you very much for al your help!
Aphroditi
-
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
Click here to download Dr.Web CureIt and save it to your desktop.- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, see if you can click the icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Post the Dr. Web CureIt Results.
Also, please post a revised HijackThis LOG and any applicable feedback.
