PDA

View Full Version : Hi



shauna78
2007-12-28, 01:09
:)Over the Christmas period I have had my family staying and my nephew has been using my Pc - now I have load of pop ups and my pc is running so slow.. I know that it is infected with Virtumonde but I cant delete it. I have used vurtobegone and vundofix, spybot, combo fix but no joy.. I need an expert!!! I should have finished the course at the malware uni!!

I also deleted some files from HJT which I knew were dodgy - but I then got a several error messages so I restored them so they can be sorted at the same time and properly deleted!

I have Kespersky internet 7 now as my last antivirus expired and I didnt renew it.. hindsight is such a wonderful thing!!

Any help will be greatly appreciated as always :bigthumb:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:38:02, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu1188.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\highjackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02717B41-42AE-4EA7-86BA-5F04154637D4} - C:\Program Files\Messenger\hoke4444.dll (file missing)
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\nnnkjhf.dll (file missing)
O2 - BHO: (no name) - {41CC109F-3C8E-4F08-BC28-586C8F116656} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: {0e0ac8bc-8862-4afa-7f14-806b65396d94} - {49d69356-b608-41f7-afa4-2688cb8ca0e0} - C:\WINDOWS\system32\tpseheur.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6336D430-E87C-488B-934F-AFF51D1868DD} - C:\Program Files\Messenger\hoke83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8BD219D7-8AF2-4254-9430-2381F87E0F16} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: {56bd53ca-31fc-9df9-4494-2dccba4dc10d} - {d01cd4ab-ccd2-4944-9fd9-cf13ac35db65} - C:\WINDOWS\system32\ejmnfkvy.dll
O2 - BHO: {a2dc8e1f-3f98-5b5b-3564-99b75785db3d} - {d3bd5875-7b99-4653-b5b5-89f3f1e8cd2a} - C:\WINDOWS\system32\pdqumlgw.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [9c3365bc] rundll32.exe "C:\WINDOWS\system32\jccmofgv.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: nnnkjhf - nnnkjhf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7823 bytes

pskelley
2007-12-28, 19:10
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Do not run and post the Kaspersky scan until I ask for it.
You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
Keep the computer offline except when troubleshooting, the junk will download more. Make sure "Word Wrap" is turned off in notepad, read and follow the directions carefully, the tools will not work unless you do.

If you have any of these tools, delete them and download them new from the links I provided.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

shauna78
2007-12-28, 21:46
Hi - thank you for helping.

I have had a problem - I couldnt run combofix once I had saved it to the desktop it said it windows system 32 was not a proper file or something to run combofix - So I had to run it from the temp file. Not sure if there is any way round this?

Logs to follow anyway...

ComboFix 07-12-21.4 - Shauna Holleran 2007-12-28 18:47:15.5 - NTFSx86
Running from: C:\Documents and Settings\Shauna Holleran.SHO\Local Settings\Temporary Internet Files\Content.IE5\50Z72GQ0\ComboFix[1].exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Shauna Holleran.SHO\Application Data\WinTouch
C:\Documents and Settings\Shauna Holleran.SHO\Application Data\WinTouch\WinTouch.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b128.exe.bin
C:\WINDOWS\b138.exe.bin
C:\WINDOWS\b151.exe.bin
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\amtxwydo.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\eeoggpphxx.dat
C:\WINDOWS\system32\eeoggpphxx_nav.dat
C:\WINDOWS\system32\eeoggpphxx_navps.dat
C:\WINDOWS\system32\efntlooa.dll
C:\WINDOWS\system32\ejmnfkvy.dll
C:\WINDOWS\system32\fmurcaxu.ini
C:\WINDOWS\system32\foxciiav.dll
C:\WINDOWS\system32\hyyutred.dll
C:\WINDOWS\system32\iitypcjj.dll
C:\WINDOWS\system32\jjcpytii.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jnudlead.dll
C:\WINDOWS\system32\jtrcjivu.dll
C:\WINDOWS\system32\ksiddk.dat
C:\WINDOWS\system32\ksiddk_nav.dat
C:\WINDOWS\system32\ksiddk_navps.dat
C:\WINDOWS\system32\oanokdyd.dll
C:\WINDOWS\system32\oiltbkfy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdqumlgw.dll
C:\WINDOWS\system32\rpxrkqdl.dll
C:\WINDOWS\system32\tpseheur.dll
C:\WINDOWS\system32\uxacrumf.dll
C:\WINDOWS\system32\vaiicxof.ini
C:\WINDOWS\system32\yfkbtlio.ini
C:\WINDOWS\system32\yqxljika.dll
C:\WINDOWS\Fonts\-

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 21:06 . 2007-12-27 22:28 1,031,259 --ahs---- C:\WINDOWS\system32\ajfxhvjx.ini
2007-12-27 17:48 . 2007-12-27 19:03 1,031,319 --ahs---- C:\WINDOWS\system32\ytxlagwu.ini
2007-12-27 14:33 . 2007-12-27 17:45 1,031,199 --ahs---- C:\WINDOWS\system32\jyjaalri.ini
2007-12-27 11:06 . 2007-12-27 11:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 11:06 . 2007-12-27 11:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 11:05 . 2007-12-27 11:05 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 11:05 . 2007-12-28 19:20 3,856,416 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 11:05 . 2007-12-28 19:18 52,124 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 11:05 . 2007-12-28 19:20 34,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 11:05 . 2007-12-28 19:18 4,268 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 10:59 . 2007-12-27 10:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2007-12-27 01:14 . 2007-12-27 01:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-27 01:14 . 2007-12-28 19:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-27 00:54 . 2007-12-27 13:31 <DIR> d-------- C:\Program Files\Router
2007-12-26 13:58 . 2007-12-27 01:01 1,341,115 --ahs---- C:\WINDOWS\system32\vgfomccj.ini
2007-12-25 19:24 . 2007-12-26 13:56 1,025,724 --ahs---- C:\WINDOWS\system32\yqupiwtf.ini
2007-12-25 17:16 . 2007-12-27 00:32 <DIR> d--hs---- C:\WINDOWS\U2hhdW5hIEhvbGxlcmFu
2007-12-25 17:15 . 2007-12-27 17:13 <DIR> d-------- C:\WINDOWS\system32\vmi4
2007-12-25 17:15 . 2007-12-27 00:32 <DIR> d-------- C:\WINDOWS\system32\elmo1
2007-12-25 17:15 . 2007-12-27 16:16 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2007-12-25 17:15 . 2007-12-25 17:15 <DIR> d-------- C:\TEMP\cEeer12
2007-12-25 17:15 . 2007-12-25 17:15 35,328 --a------ C:\WINDOWS\system32\nnnkjhf.dll.vir
2007-12-25 14:11 . 2007-12-25 14:11 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 13:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-25 13:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-25 13:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-25 13:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-16 12:34 . 2007-12-16 12:34 <DIR> d-------- C:\Documents and Settings\Guest.SHO\Application Data\Apple Computer
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 19:00 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-12-27 13:31 22 ----a-w C:\WINDOWS\Fonts\x.zip
2007-12-27 11:39 --------- d-----w C:\Documents and Settings\Shauna Holleran.SHO\Application Data\LimeWire
2007-12-27 01:40 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-25 14:12 --------- d-----w C:\Program Files\iTunes
2007-12-25 14:12 --------- d-----w C:\Program Files\iPod
2007-11-27 21:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-27 21:36 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 07:50 17,144 ----a-w C:\Documents and Settings\Jacqui Holleran.SHO\Application Data\GDIPFONTCACHEV1.DAT
2007-08-28 22:43 318,369 ----a-w C:\Program Files\HiJackThis.zip
2007-08-12 22:36 24,192 ----a-w C:\Documents and Settings\Shauna Holleran.SHO\usbsermptxp.sys
2007-08-12 22:36 22,768 ----a-w C:\Documents and Settings\Shauna Holleran.SHO\usbsermpt.sys
2006-03-29 23:34 68,096 ----a-w C:\Program Files\BHOList.exe
2007-07-19 00:46 6,365 --sha-w C:\WINDOWS\system32\yycdd.bak1
2007-07-24 20:52 1,056,947 --sha-w C:\WINDOWS\system32\yycdd.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02717B41-42AE-4EA7-86BA-5F04154637D4}]
C:\Program Files\Messenger\hoke4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}]
C:\WINDOWS\system32\nnnkjhf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6336D430-E87C-488B-934F-AFF51D1868DD}]
C:\Program Files\Messenger\hoke83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 19:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}"= C:\WINDOWS\system32\nnnkjhf.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjhf]
nnnkjhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 15:32]
S3 VM30xx86;Vimicro USB PC Camera (ZC0301);C:\WINDOWS\system32\Drivers\vm30xx86.sys [2007-02-15 10:04]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 10:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 19:20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 19:23:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-12-26 18:33
C:\ComboFix2.txt ... 2007-12-26 18:33
C:\ComboFix3.txt ... 2007-12-26 16:46
.
2007-12-13 00:49:12 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:09, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shauna Holleran.SHO\Local Settings\Temporary Internet Files\Content.IE5\7TQMLBLT\VundoFix[1].exe
C:\Program Files\Trend Micro\highjackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02717B41-42AE-4EA7-86BA-5F04154637D4} - C:\Program Files\Messenger\hoke4444.dll (file missing)
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\nnnkjhf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6336D430-E87C-488B-934F-AFF51D1868DD} - C:\Program Files\Messenger\hoke83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: nnnkjhf - nnnkjhf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7087 bytes


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 22:36:31 8/4/2007

Listing files found while scanning....

C:\windows\system32\cgnfaefw.exe
C:\WINDOWS\system32\ddcyx.dll
C:\windows\system32\feudwtje.dll
C:\windows\system32\iivarhgg.exe
C:\windows\system32\jxnliuhd.exe
C:\windows\system32\qntqlbid.exe
C:\windows\system32\sdmusjrv.exe
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp

Beginning removal...

Attempting to delete C:\windows\system32\cgnfaefw.exe
C:\windows\system32\cgnfaefw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Has been deleted!

Attempting to delete C:\windows\system32\feudwtje.dll
C:\windows\system32\feudwtje.dll Has been deleted!

Attempting to delete C:\windows\system32\iivarhgg.exe
C:\windows\system32\iivarhgg.exe Has been deleted!

Attempting to delete C:\windows\system32\jxnliuhd.exe
C:\windows\system32\jxnliuhd.exe Has been deleted!

Attempting to delete C:\windows\system32\qntqlbid.exe
C:\windows\system32\qntqlbid.exe Has been deleted!

Attempting to delete C:\windows\system32\sdmusjrv.exe
C:\windows\system32\sdmusjrv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\system32\xycdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 23:47:12 8/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\ssqrp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Has been deleted!

Performing Repairs to the registry.
Done!

pskelley
2007-12-28, 22:19
Open Vundofix and tell me the Version is on the Interface, mine shows 6.7.0 and I believe I am out of date. Your report is showing:
VundoFix V6.5.6. I am waiting to hear what version you are running.

Thanks

shauna78
2007-12-28, 22:35
No infected files were found.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 18:30:01 12/28/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:24:33 12/28/2007

Listing files found while scanning....

shauna78
2007-12-28, 22:36
Sorry I hadnt copied the whole log as there was not enough room!!

it is the lastest log.. it must list all the previous ones also?

thank you :0)

shauna78
2007-12-28, 22:37
VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 18:30:01 12/28/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:24:33 12/28/2007

Listing files found while scanning....

No infected files were found.

pskelley
2007-12-28, 23:17
Thanks for that information and the feedback, read and follow the instructions carefully.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

(files to add)

C:\WINDOWS\system32\ajfxhvjx.ini
C:\WINDOWS\system32\ytxlagwu.ini
C:\WINDOWS\system32\jyjaalri.ini
C:\WINDOWS\system32\nnnkjhf.dll.vir
C:\WINDOWS\system32\vgfomccj.ini
C:\WINDOWS\system32\yqupiwtf.ini

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave the first item if you set your Start Page that way)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {02717B41-42AE-4EA7-86BA-5F04154637D4} - C:\Program Files\Messenger\hoke4444.dll (file missing)
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\nnnkjhf.dll (file missing)
O2 - BHO: (no name) - {6336D430-E87C-488B-934F-AFF51D1868DD} - C:\Program Files\Messenger\hoke83122.dll (file missing)
O20 - Winlogon Notify: nnnkjhf - nnnkjhf.dll (file missing)
O24 - Desktop Component 0: (no name) - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback...how is the computer running now?

Thanks

shauna78
2007-12-29, 04:17
Hi pskelley

I haven't had any pop ups so far and it seems to be running as normal!!

Logs are below but I could not remove one item O20 - Winlogon Notify: nnnkjhf - nnnkjhf.dll (file missing) from the HJT log - I assume this was deleted with vundofix when I added those files?

thank you again :0)

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 22:36:31 8/4/2007

Listing files found while scanning....

C:\windows\system32\cgnfaefw.exe
C:\WINDOWS\system32\ddcyx.dll
C:\windows\system32\feudwtje.dll
C:\windows\system32\iivarhgg.exe
C:\windows\system32\jxnliuhd.exe
C:\windows\system32\qntqlbid.exe
C:\windows\system32\sdmusjrv.exe
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp

Beginning removal...

Attempting to delete C:\windows\system32\cgnfaefw.exe
C:\windows\system32\cgnfaefw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Has been deleted!

Attempting to delete C:\windows\system32\feudwtje.dll
C:\windows\system32\feudwtje.dll Has been deleted!

Attempting to delete C:\windows\system32\iivarhgg.exe
C:\windows\system32\iivarhgg.exe Has been deleted!

Attempting to delete C:\windows\system32\jxnliuhd.exe
C:\windows\system32\jxnliuhd.exe Has been deleted!

Attempting to delete C:\windows\system32\qntqlbid.exe
C:\windows\system32\qntqlbid.exe Has been deleted!

Attempting to delete C:\windows\system32\sdmusjrv.exe
C:\windows\system32\sdmusjrv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\system32\xycdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 23:47:12 8/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\ssqrp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 00:17:38 8/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.ini

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 01:39:36 8/6/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:43:46 8/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 00:19:03 8/15/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 23:40:36 8/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 15:13:21 12/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 15:55:55 12/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:39:25 12/27/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 18:30:01 12/28/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:24:33 12/28/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\ajfxhvjx.ini
C:\WINDOWS\system32\ajfxhvjx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jyjaalri.ini
C:\WINDOWS\system32\jyjaalri.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnkjhf.dll.vir
C:\WINDOWS\system32\nnnkjhf.dll.vir Has been deleted!

Attempting to delete C:\WINDOWS\system32\vgfomccj.ini
C:\WINDOWS\system32\vgfomccj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqupiwtf.ini
C:\WINDOWS\system32\yqupiwtf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ytxlagwu.ini
C:\WINDOWS\system32\ytxlagwu.ini Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:13:02, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\highjackthis\scanner.exe
C:\Program Files\Trend Micro\highjackthis\scanner.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6640 bytes

pskelley
2007-12-29, 12:59
Good morning, thanks for returning your information and the feedback.

Your HJT log looks clean of malware:bigthumb: I would like a second opinion from Kaspersky online scanner, you may have to install it and then go offline, disable your resident AV, and then run the scan. I am not 100% sure. Just make sure you turn your resident AV back on before going back online. If you have a problem trying to run the scan with the resident Kaspersky onboard, let me know and we will use another method.

Before you scan, remove combofix, C:\qoobox\quarantine\, Vundofix and the C:\VundoFix Backups from your computer.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

shauna78
2007-12-29, 15:01
Hi pskelly

I have ran the online scanner but i saved it as a txt file not a notepad!

I also ran spybot and that was clear - no immediate threats found!! and my pc is running as normal now..

Thank you & thank you !! :bigthumb::bigthumb:

KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 12:55:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499720


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\SHAUNA~1.SHO\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 18194
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:31:16

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{257B9614-F6D9-4D49-97C2-071C2B7206A5}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2007-12-29, 15:06
Whoa...a clean scan, you go geekgirl :bigthumb:

For your information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Happy New Year:clown:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

shauna78
2007-12-30, 02:32
Thank you soooo much!!! :bighug:

and Happy New Year to you too :flowers:

I think I will go back and finish the course at the malware uni.. !