1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help wih spyware malar nd r posibly viruses

Discussion in 'Windows - Virus and spyware problems' started by batmanv1, Jun 8, 2007.

  1. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Computer Symptoms: Computer Restarts automatically, insane amount of pop-ups, outerinfo, windows encounters errors upon log in, internet explorer constantly freezes and stops responding

    It started when smeone tried installing a program i need help removing whatever the problem is.

    Here is a logfile from hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 11:12:07 AM, on 6/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Don't Touch This\Local Settings\Temp\wz7fff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O4 - HKLM\..\Run: [smgr] smgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163889300812
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163980362203
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

    if anyone can take a look and help me out please i dont think i got much time till my computer is completley finished.
     
  2. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Well... bleh. You have quite a bit of malware.

    Was this log done in Safe Mode? If it was, then I probably didn't pick up all of it...

    It looks like you're running HijackThis from a temporary folder. Please move it out of the temp folder to its own folder, as the backups are more likely to be deleted if they are in a temp folder. Afterwards, right-click on HijackThis and select "Rename". Rename it to asdf.

    Now, I want you to enable the viewing of hidden files. Open the Control Panel and select Folder Options. Click on the "View" tab at the top, and click "Show hidden files and folders". While you're at it, uncheck "Hide extensions for known file types".

    Next, go to the following website: http://www.virustotal.com At the top of the page, you will see a button that says "Browse" . Click that button, and paste the following into the box:

    C:\WINDOWS\smgr.exe

    Click "Open". Then, hit the orange-brownish "Send" button right next to it. You might have to wait a while. When the scan is done, a table will show up looking something like the one below. Ignore the one below that; just select all the text in the table and copy it into your reply.

    Please download VundoFix.exe to your desktop.

    Double-click VundoFix.exe to run it.

    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    This is just a precaution. Please download F-Secure BlackLight. Double-click the file to run it. Disconnect from the Internet before you do this - this is important. Accept the license agreement. You will now be presented with a screen that says Step 1 - Scan for hidden items. Click the "Scan" button; be patient. After the scan, if hidden objects are found, a log will open. Post that log in your reply. After the scan is finished, you may reconnect your Internet.

    In your reply:
    * The VirusTotal report for smgr.exe
    * A BlackLight log (if applicable)
    * A new HijackThis log (remember to move it out of the temp folder)
     
  3. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Ok sorry i tok so long witthe constant restarts it was almost impossible to scan the computer but here are all the log files:

    Blacklight:
    06/08/07 22:38:56 [Info]: BlackLight Engine 1.0.61 initialized
    06/08/07 22:38:56 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    06/08/07 22:38:56 [Note]: 7019 4
    06/08/07 22:38:56 [Note]: 7005 0
    06/08/07 22:38:56 [Note]: 7006 0
    06/08/07 22:38:56 [Note]: 7011 1656
    06/08/07 22:38:56 [Note]: 7026 0
    06/08/07 22:38:56 [Note]: 7026 0
    06/08/07 22:38:58 [Note]: FSRAW library version 1.7.1021
    06/08/07 22:47:37 [Info]: Hidden file: c:\WINDOWS\system32\windev-60b-4fc6.sys
    06/08/07 22:47:37 [Note]: 10002 1
    06/08/07 22:47:38 [Info]: Hidden file: c:\WINDOWS\system32\windev-peers.ini
    06/08/07 22:47:38 [Note]: 10002 1
    06/08/07 22:49:07 [Note]: 7007 0


    HijackThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 10:03:15 PM, on 6/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\DOCUME~1\DON'TT~1\LOCALS~1\Temp\powerwin.exe
    C:\DOCUME~1\DON'TT~1\LOCALS~1\Temp\win64.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\asdf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\nnnnlig.dll
    O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
    O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
    O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
    O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - C:\WINDOWS\system32\pmnnk.dll
    O2 - BHO: (no name) - {9109454B-D3DA-D90D-DD0A-FEADDF94289D} - C:\WINDOWS\system32\ddhcj.dll
    O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ootoyibs.dll
    O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
    O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
    O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
    O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gnmdiwkb.dll
    O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
    O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O4 - HKLM\..\Run: [smgr] smgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\qybukewm.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163889300812
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163980362203
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
    O20 - Winlogon Notify: nnnnlig - C:\WINDOWS\SYSTEM32\nnnnlig.dll
    O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)



    VirusTotal:AhnLab-V3 2007.6.9.0 06.08.2007 Win-Trojan/Alphabet.11776.N
    AntiVir 7.4.0.32 06.08.2007 TR/Dldr.Alphabet.11776.16
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.08.2007 no virus found
    AVG 7.5.0.467 06.08.2007 Downloader.Generic4.TDP
    BitDefender 7.2 06.09.2007 no virus found
    CAT-QuickHeal 9.00 06.08.2007 (Suspicious) - DNAScan
    ClamAV devel-20070416 06.09.2007 Trojan.Downloader-8305
    DrWeb 4.33 06.09.2007 Trojan.DownLoader.23031
    eSafe 7.0.15.0 06.06.2007 Win32.Alphabet.gen
    eTrust-Vet 30.7.3703 06.08.2007 Win32/Kastem.R
    Ewido 4.0 06.08.2007 Downloader.Alphabet
    FileAdvisor 1 06.09.2007 Low threat detected
    Fortinet 2.85.0.0 06.09.2007 W32/Alphabet!tr.dldr
    F-Prot 4.3.2.48 06.08.2007 W32/Downloader!9a48
    F-Secure 6.70.13030.0 06.08.2007 Trojan-Downloader.Win32.Alphabet.gen
    Ikarus T3.1.1.8 06.08.2007 Trojan-Downloader.Win32.Alphabet
    Kaspersky 4.0.2.24 06.09.2007 Trojan-Downloader.Win32.Alphabet.gen
    McAfee 5049 06.08.2007 Generic Downloader
    Microsoft 1.2503 06.09.2007 Trojan:Win32/Agent.SS (threat-c)
    NOD32v2 2320 06.09.2007 a variant of Win32/TrojanClicker.Agent.NBS
    Norman 5.80.02 06.08.2007 W32/DLoader.CVTL
    Panda 9.0.0.4 06.09.2007 Adware/DriveCleaner
    Prevx1 V2 06.09.2007 Trojan.Nudos
    Sophos 4.18.0 06.01.2007 no virus found
    Sunbelt 2.2.907.0 06.09.2007 VIPRE.Suspicious
    Symantec 10 06.09.2007 no virus found
    TheHacker 6.1.6.131 06.08.2007 no virus found
    VBA32 3.12.0 06.07.2007 Trojan-Downloader.Win32.Alphabet.gen
    VirusBuster 4.3.23:9 06.08.2007 Trojan.DL.Alphabet.Y
    Webwasher-Gateway 6.0.1 06.09.2007 Trojan.Dldr.Alphabet.11776.16


    I followed your direcions exact i hope this helps you help me get back to me as soon as possible.
     
  4. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    I'll get back to within the next 24 hours as it is almost mifnight here. I'm too tired to possibly atempt to read the logs.
     
  5. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,065
    Likes Received:
    0
    Trophy Points:
    66
    @batmanv1

    I am going to watch this thread and pitch in my help when needed. But until then here are a few pointers. One rename Hijack This! to something like Can't be Jacked or Jack What? Something besides HiJack This, as some malware/spyware are programmed to hide from Hijack This and is some cases even to disable it. So renaming it might show more malicious programs in your scans. Also if you are interested here is a site....
    http://www.hijackthis.de

    Basically you paste your logfile into it and let it scan it and 98% of the time it can tell you what the problems, what entries are bad, why there bad, etc.
     
  6. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    @PeaInAPod -

    No problem, feel free to pitch in when necessary. Though sometimes I really doubt the effectiveness of hijackthis.de (i.e. once it marked a RedSheriff infection as "Safe"). HijackThis was renamed:

    @Batmanv1 -

    Make sure you do my steps in the order listed, and follow them exactly. Not only will it make my life a lot easier, it is critical to the accuracy of the fix. You don't want me to misinterpret a log because you didn't do it in the proper order, do you? Also, please make sure to read my directions first so you understand what is expected. If you have trouble with a step, skip it and tell me. Constant reboots are not considered "trouble with a step" :)

    We're getting there... kinda. Please open HijackThis and do another scan. Place checkmarks besides the following boxes:

    ALL O2 entries that say (no file)

    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\nnnnlig.dll

    O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - C:\WINDOWS\system32\pmnnk.dll

    O2 - BHO: (no name) - {9109454B-D3DA-D90D-DD0A-FEADDF94289D} - C:\WINDOWS\system32\ddhcj.dll

    O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ootoyibs.dll

    O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll

    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\gnmdiwkb.dll

    O4 - HKLM\..\Run: [smgr] smgr.exe

    O20 - Winlogon Notify: nnnnlig - C:\WINDOWS\SYSTEM32\nnnnlig.dll

    O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll

    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll


    I don't like the look of that log of smgr from VirusTotal. Please reboot your computer into Safe Mode:

    1. Restart your computer.
    2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
    3. Select the option for Safe Mode using the arrow keys.
    4. Then press enter on your keyboard to boot into Safe Mode.

    Then, open My Comptuer. Open the C: drive, and open the WINDOWS folder. Press the "s" key on your keyboard (this will make your life a bit easier) and search for "smgr.exe". Click on it. Then, hold down the "Shift" key and press the "Delete" button on your keyboard (not "Backspace"). It will give you a confirmation; press "Yes". You can now reboot back into Normal Mode.

    Can you run VundoFix again? It will take about five minutes, and the log should be saved to C:\VundoFix.txt. Post that log in your reply.

    Please run F-Secure BlackLight again (remember to disconnect your Internet and reconnect it afterwards - disconnect it physically). Double-click on fsbl.exe and do another scan. When the scan is finished, click "Next". You should be presented with a screen similar to this one (the items will vary, obviously):

    [​IMG]

    Click on windev-60b-4fc6.sys to highlight it; then, click "Rename". The action will be changed from "None" to "Rename". Next, do the same thing with windev-peers.ini.

    Do Not Do Anything Else With BlackLight Unless Asked!

    You should now press the "Next" button. A warning screen will now show stating that renaming legitimate files can cause Windows not to operate properly, yada yada yada. Put a checkmark in the checkbox labeled "I have understood the warning and wish to continue" and then press the OK button. You should then press the Restart Now, and then the OK button again. If BlackLight doesn't restart your computer, do it manually.

    Next, I want you to make a return trip to http://www.virustotal.com. Click "Browse", and paste the following in the box:

    c:\WINDOWS\system32\windev-60b-4fc6.sys.ren

    Wait for the scan to finish, and post the table back here, just like last time. Then, do another scan with the following:

    c:\WINDOWS\system32\windev-peers.ini.ren

    You also mentioned OuterInfo. To verify and remove that, I will need a HijackThis Uninstall Log:

    * Open HijackThis. Click "Open the Misc. Tools Section".
    * Click the "Misc Tools" tab at the top.
    * Click on "Open Uninstall Manager".
    * Hit "Save List". Save it to where you saved HijackThis. The list is called "uninstall_list.txt".
    * Post that list in a reply.

    In your reply:
    * VundoFix.txt logfile
    * A new BlackLight log
    * VirusTotal's log for c:\WINDOWS\system32\windev-60b-4fc6.sys
    * VirusTotal's log for c:\WINDOWS\system32\windev-peers.ini.ren
    * An Uninstall List from HijackThis
    * Last but not least, a new HijackThis logfile
     
  7. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    VundoFix Logfile:
    VundoFix V6.4.2

    Checking Java version...

    Java version is 1.5.0.4
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 1:11:17 PM 6/9/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ihhkj.bak1
    C:\WINDOWS\system32\ihhkj.bak2
    C:\WINDOWS\system32\ihhkj.ini
    C:\WINDOWS\system32\jjlxbeyw.ini
    C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\khfdeed.dll
    C:\WINDOWS\system32\snyhcvww.dll
    C:\WINDOWS\system32\wyebxljj.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ihhkj.bak1
    C:\WINDOWS\system32\ihhkj.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihhkj.bak2
    C:\WINDOWS\system32\ihhkj.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihhkj.ini
    C:\WINDOWS\system32\ihhkj.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jjlxbeyw.ini
    C:\WINDOWS\system32\jjlxbeyw.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\jkhhi.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\khfdeed.dll
    C:\WINDOWS\system32\khfdeed.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\snyhcvww.dll
    C:\WINDOWS\system32\snyhcvww.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wyebxljj.dll
    C:\WINDOWS\system32\wyebxljj.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Blacklight Log:
    06/09/07 13:46:39 [Info]: BlackLight Engine 1.0.61 initialized
    06/09/07 13:46:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    06/09/07 13:46:39 [Note]: 7019 4
    06/09/07 13:46:39 [Note]: 7005 0
    06/09/07 13:47:19 [Note]: 7006 0
    06/09/07 13:47:19 [Note]: 7011 1780
    06/09/07 13:47:19 [Note]: 7026 0
    06/09/07 13:47:19 [Note]: 7026 0
    06/09/07 13:47:21 [Note]: FSRAW library version 1.7.1021
    06/09/07 13:55:23 [Info]: Hidden file: c:\WINDOWS\system32\windev-60b-4fc6.sys
    06/09/07 13:55:23 [Note]: 10002 1
    06/09/07 13:55:23 [Info]: Hidden file: c:\WINDOWS\system32\windev-peers.ini
    06/09/07 13:55:23 [Note]: 10002 1
    06/09/07 14:03:55 [Note]: 7007 0


    VirusTotal's log for c:\WINDOWS\system32\windev-60b-4fc6.sys:
    AhnLab-V3 2007.6.9.0 06.08.2007 Win-Trojan/Tibs.153728
    AntiVir 7.4.0.32 06.09.2007 TR/PCK.Tibs.AB
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.09.2007 no virus found
    AVG 7.5.0.467 06.09.2007 no virus found
    BitDefender 7.2 06.09.2007 Trojan.Peed.HUJ
    CAT-QuickHeal 9.00 06.09.2007 no virus found
    ClamAV devel-20070416 06.09.2007 no virus found
    DrWeb 4.33 06.09.2007 Trojan.Spambot
    eSafe 7.0.15.0 06.06.2007 Win32.Tibs.ab
    eTrust-Vet 30.7.3707 06.09.2007 Win32/Tibs
    Ewido 4.0 06.09.2007 Trojan.Tibs.ab
    FileAdvisor 1 06.09.2007 No threat detected
    Fortinet 2.85.0.0 06.09.2007 PossibleThreat
    F-Prot 4.3.2.48 06.08.2007 W32/Dropper.gen6
    F-Secure 6.70.13030.0 06.08.2007 Packed.Win32.Tibs.ab
    Ikarus T3.1.1.8 06.09.2007 Packed.Win32.Tibs.ab
    Kaspersky 4.0.2.24 06.09.2007 Packed.Win32.Tibs.ab
    McAfee 5049 06.08.2007 no virus found
    Microsoft 1.2503 06.09.2007 TrojanDownloader:Win32/TIBS (threat-c)
    NOD32v2 2320 06.09.2007 Win32/Fuclip.AK
    Norman 5.80.02 06.08.2007 W32/Tibs.AKAI
    Panda 9.0.0.4 06.09.2007 Adware/Adsmart
    Prevx1 V2 06.09.2007 Covert.Code
    Sophos 4.18.0 06.01.2007 no virus found
    Sunbelt 2.2.907.0 06.09.2007 no virus found
    Symantec 10 06.09.2007 no virus found
    TheHacker 6.1.6.131 06.08.2007 no virus found
    VBA32 3.12.0 06.07.2007 no virus found
    VirusBuster 4.3.23:9 06.09.2007 no virus found
    Webwasher-Gateway 6.0.1 06.09.2007 Trojan.PCK.Tibs.AB

    VirusTotal's log for c:\WINDOWS\system32\windev-peers.ini.ren:
    AhnLab-V3 2007.6.9.0 06.08.2007 no virus found
    AntiVir 7.4.0.32 06.09.2007 no virus found
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.09.2007 no virus found
    AVG 7.5.0.467 06.09.2007 no virus found
    BitDefender 7.2 06.09.2007 no virus found
    CAT-QuickHeal 9.00 06.09.2007 no virus found
    ClamAV devel-20070416 06.09.2007 no virus found
    DrWeb 4.33 06.09.2007 no virus found
    eSafe 7.0.15.0 06.06.2007 no virus found
    eTrust-Vet 30.7.3707 06.09.2007 no virus found
    Ewido 4.0 06.09.2007 no virus found
    FileAdvisor 1 06.09.2007 no virus found
    Fortinet 2.85.0.0 06.09.2007 no virus found
    F-Prot 4.3.2.48 06.08.2007 no virus found
    F-Secure 6.70.13030.0 06.08.2007 no virus found
    Ikarus T3.1.1.8 06.09.2007 no virus found
    Kaspersky 4.0.2.24 06.09.2007 no virus found
    McAfee 5049 06.08.2007 no virus found
    Microsoft 1.2503 06.09.2007 no virus found
    NOD32v2 2320 06.09.2007 no virus found
    Norman 5.80.02 06.08.2007 no virus found
    Panda 9.0.0.4 06.09.2007 no virus found
    Prevx1 V2 06.09.2007 no virus found
    Sophos 4.18.0 06.01.2007 no virus found
    Sunbelt 2.2.907.0 06.09.2007 no virus found
    Symantec 10 06.09.2007 no virus found
    TheHacker 6.1.6.131 06.08.2007 no virus found
    VBA32 3.12.0 06.07.2007 no virus found
    VirusBuster 4.3.23:9 06.09.2007 no virus found
    Webwasher-Gateway 6.0.1 06.09.2007 no virus found


    HiJackThis Uninstall Log:
    Ad-Aware 2007
    Adobe Bridge 1.0
    Adobe Help Center 1.0
    Adobe Reader 7.0
    Adobe Shockwave Player
    Agere Systems PCI Soft Modem
    AIM 6
    Apple Software Update
    ATI Control Panel
    ATI Display Driver
    Auto Macro Recorder V4.8 Trial Version
    AV Music Morpher Gold
    BitPim 0.9.12
    Build Your Own Net Dream (remove only)
    CCleaner (remove only)
    Corel Painter X
    DivX
    DivX Player
    DivX Web Player
    Easy Internet Sign-up
    Fbrowse 2.0
    Game Console - WildGames
    GemMaster Mystic
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB888111
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB912024)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Boot Optimizer
    HP Deskjet Printer Preload
    HP DigitalMedia Archive
    HP Document Viewer 5.3
    HP Extended Capabilities 5.3
    HP Game Console and games
    HP Image Zone 5.3
    HP Image Zone for Media Center PC
    HP Imaging Device Functions 5.3
    HP Multimedia Keyboard Software
    HP Photosmart 330,380,420,470,7800,8000,8200 Series
    HP Photosmart Cameras 5.0
    HP PSC & OfficeJet 5.3.A
    HP PSC & OfficeJet 5.3.B
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    HP Tunes
    ImageSlicer
    IntelliMover Data Transfer Demo
    InterVideo WinDVD Player
    IrfanView (remove only)
    iTunes
    Java(TM) SE Runtime Environment 6 Update 1
    Jets 'N' Guns GOLD
    LimeWire PRO 4.12.6
    Macromedia Flash Player 8
    Macromedia Flash Player 8 Plugin
    Microsoft .NET Framework 1.0 Hotfix (KB887998)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2005
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Plus! Dancer LE
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    Move Networks Player for Internet Explorer
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 6.0 Parser (KB927977)
    muvee autoProducer 4.0
    muvee autoProducer unPlugged 1.1 - HPD
    Nanny Mania
    Notepad++
    Office 2003 Tour
    Outerinfo
    Panda ActiveScan
    Perfect Macro Recorder 1.50
    Photo Pos Pro
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2005
    QuickTime
    RealPlayer
    Registry Mechanic 6.0
    Replay Media Catcher
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB925486)
    Sonic Encoders
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Spybot - Search & Destroy 1.4
    The Hot Mix - Basic
    Total Video Converter 3.02
    TweakMASTER
    Ulead PhotoImpact 12
    UltraMixer 2.0.10.1
    Unreal Tournament 2004 Demo
    Update for Windows Media Player 10 (KB913800)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB900930)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Updates from HP (remove only)
    Video Convert Master Trial Version (English) 7.9.0.4
    Viewpoint Media Player
    Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix [See KB889858 for more information]
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885354
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891220
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Media Center Edition 2005 KB888316
    Windows XP Media Center Edition 2005 KB895678
    Windows XP Media Center Edition 2005 KB925766
    Xfire (remove only)
    Yahoo! Install Manager
    Yahoo! Toolbar
    Zune

    HiJackThis Logfile:
    Logfile of HijackThis v1.99.1
    Scan saved at 2:30:26 PM, on 6/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\smgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\avp.exe
    C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\HijackThis\asdf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - C:\WINDOWS\system32\jkhhi.dll (file missing)
    O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
    O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
    O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
    O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
    O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
    O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\khfdeed.dll (file missing)
    O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
    O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
    O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
    O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll
    O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
    O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O4 - HKLM\..\Run: [smgr] smgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup
    O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\wyebxljj.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163889300812
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163980362203
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)





    ----K i followed your directions exact here are the logfiles.
     
  8. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    o sorry here is an addition to VundoFix logfile:



    VundoFix V6.4.2

    Checking Java version...

    Java version is 1.5.0.4
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 1:24:58 PM 6/9/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\khfdeed.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\jkhhi.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\khfdeed.dll
    C:\WINDOWS\system32\khfdeed.dll Has been deleted!

    Performing Repairs to the registry.
    Done!
     
  9. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Terribly sorry about the delay; can you give me just one more day?
     
  10. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    It ok take your time the problem seems to be gettin better already thanks to your help so go ahead take all the time you need just let me know when your ready
     
  11. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Ooookay... sorry about that.

    Since it's been a while: can you post a fresh HijackThis log to refresh my memory and give me a more recent view of your computer.
     
  12. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Really sorry about the wait but the last couple of days were crazy for me but here you go


    Logfile of HijackThis v1.99.1
    Scan saved at 8:51:50 AM, on 6/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\smgr.exe
    C:\WINDOWS\avp.exe
    C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\AIM6\aolsoftware.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\HijackThis\asdf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - (no file)
    O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
    O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
    O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
    O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
    O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
    O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
    O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
    O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
    O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll
    O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll
    O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
    O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O4 - HKLM\..\Run: [smgr] smgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163889300812
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163980362203
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

     
  13. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Still gotta do these (some of them may not be there since you ran VundoFix):

    Next, I just want to see what we're dealing with with winrvc32. Please go to http://www.virustotal.com and click the big "Browse" button at the top. In the box that appears, paste the following:

    C:\WINDOWS\SYSTEM32\winrvc32.dll

    Then, hit "Open". At the top of the page there will be a button that says "Send". Click that. Since this is a high-demand service, you will most likely be queued. After that, VirusTotal will scan your file using 32 virus engines, so be patient.

    Please open the Command Prompt by opening the Start Menu, clicking on Run, and typing cmd. Press enter, and the Control Panel should open. Type "path" (without the quotes) and press Enter. Your window should look something like this:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\xxxx>path
    PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Qu
    ickTime\QTSystem\

    C:\Documents and Settings\xxxx>

    (xxxx is my name) Now, right-click anywhere in the window and press "Select All". When it is selected, press the Enter key to copy that to the clipboard. Paste that into a Notepad document (save it if you don't feel like doing it again), and when you feel like replying, paste that into your reply.

    Finally, open up VundoFix again. In the white box that takes up most of the window, right-click and press "Add more files?" In the boxes that appear, put the following paths (there are 2 paths):

    C:\WINDOWS\system32\jykbhh.dll
    C:\WINDOWS\system32\wuufkiei.dll


    Then, press "OK" and do another scan with VundoFix.

    In your reply:
    * A new HijackThis log
    * VirusTotal log
    * VundoFix log
    * The thing that appeared when you did the path command in cmd
     
  14. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    HiJackThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 7:31:28 PM, on 6/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\smgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\avp.exe
    C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\cmd.exe
    C:\HijackThis\asdf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O2 - BHO: (no name) - {155AE0F7-8E25-449A-B7E5-BC80C3FE42F7} - (no file)
    O2 - BHO: (no name) - {437EDF27-E8C0-4FB0-8A4F-07A89D668BA0} - (no file)
    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - (no file)
    O2 - BHO: (no name) - {5EB38491-D279-4B15-90B7-E9E2F1FEE787} - (no file)
    O2 - BHO: (no name) - {700C90FD-6868-4E39-9332-6F4C1DDC1AC1} - (no file)
    O2 - BHO: (no name) - {71D4730E-0EA0-4510-BEE0-391AFA504841} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
    O2 - BHO: (no name) - {87726C41-96BD-4BBE-A6FA-CFC034727CB6} - (no file)
    O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
    O2 - BHO: (no name) - {A68F0174-16C3-4819-8C82-6B6C23B67587} - (no file)
    O2 - BHO: (no name) - {C70A284F-5FE3-4DF7-8863-B05DF278CF1d} - (no file)
    O2 - BHO: (no name) - {CC591249-D988-8D0C-8C0A-FEADDF94279E} - C:\WINDOWS\system32\jykbhh.dll (file missing)
    O2 - BHO: (no name) - {DBDC6551-66CA-4F02-9AD0-2CD62502E8E3} - (no file)
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wuufkiei.dll (file missing)
    O2 - BHO: (no name) - {E8DE63A1-4A2D-46AD-AA04-6980F9FFE15c} - (no file)
    O2 - BHO: (no name) - {F4851D99-EECC-4C63-8E4A-50FE2D6DC8A4} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
    O4 - HKLM\..\Run: [smgr] smgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163889300812
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163980362203
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D8A988FD-A12E-4463-A4D4-016BFF254BA9}: NameServer = 205.152.144.23 205.152.132.23
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: PcScnSrv - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)


    VirusTotal:
    Antivirus Version Update Result
    AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Dialer.18944.N
    AntiVir 7.4.0.32 06.16.2007 TR/Crypt.PEC2X.Gen
    Authentium 4.93.8 06.16.2007 no virus found
    Avast 4.7.997.0 06.16.2007 no virus found
    AVG 7.5.0.467 06.16.2007 Dialer.FHC
    BitDefender 7.2 06.16.2007 Trojan.Downloader.Agent.BGY
    CAT-QuickHeal 9.00 06.16.2007 Trojan.Dialer.qn
    ClamAV None 06.16.2007 no virus found
    DrWeb 4.33 06.16.2007 Trojan.Mezzia
    eSafe 7.0.15.0 06.14.2007 Win32.Dialer.qn
    eTrust-Vet 30.7.3721 06.15.2007 Win32/Nebuler.BI
    Ewido 4.0 06.16.2007 Trojan.Dialer.qn
    FileAdvisor 1 06.17.2007 Not analyzed yet
    Fortinet 2.85.0.0 06.16.2007 W32/Nebule.QN!tr
    F-Prot 4.3.2.48 06.15.2007 no virus found
    F-Secure 6.70.13030.0 06.15.2007 W32/Dialer.dam
    Ikarus T3.1.1.8 06.16.2007 Trojan.Win32.Agent.qt
    Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Dialer.qn
    McAfee 5054 06.15.2007 potentially unwanted program Dialer-Generic
    Microsoft 1.2607 06.16.2007 no virus found
    Norman 5.80.02 06.15.2007 W32/Dialer.dam
    Panda 9.0.0.4 06.16.2007 Dialer.KHJ
    Prevx1 V2 06.17.2007 Polynomial.Code.Exploit
    Sophos 4.18.0 06.12.2007 no virus found
    Sunbelt 2.2.907.0 06.16.2007 Trojan.Nebuler
    Symantec 10 06.17.2007 Trojan.Nebuler
    TheHacker 6.1.6.133 06.15.2007 Trojan/Dialer.qn
    VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Dialer.qn
    VirusBuster 4.3.23:9 06.16.2007 no virus found
    Webwasher-Gateway 6.0.1 06.16.2007 no virus found



    VundoFix:
    VundoFix V6.4.2

    Checking Java version...

    Java version is 1.5.0.4
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 7:15:58 PM 6/16/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jykbhh.dll
    C:\WINDOWS\system32\jykbhh.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wuufkiei.dll
    C:\WINDOWS\system32\wuufkiei.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    CMD:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Don't Touch This>path
    PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Prog
    ram Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
    \;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625

    C:\Documents and Settings\Don't Touch This>
     
  15. batmanv1

    batmanv1 Member

    Joined:
    Jun 8, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
  16. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Blargh. I'll get back to you in a few seconds, I gotta eat breakfast first.
     
  17. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    I'm sorry about the horribly late reply.

    Do you still need help? If so, post another HijackThis log.
     
  18. Auttaja

    Auttaja Guest

    Just couple hint:

    http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

    (See that O4 - HKLM\..\Run: [smgr] mgrs.exe)

    =========

    C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe

    randomly named malware

    ========

    O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe

    trojan downloader

    ==========

    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll

    Part of vundo family (maybe addfiles on vundofix or combofix)

     

Share This Page