Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Malicious Action detected - mlljh.dll

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default Malicious Action detected - mlljh.dll

    Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
    Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume
    Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
    Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\system32\dpxicinb.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqpnkh.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wkdjhmjm.dll
    Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
    Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
    Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll

  2. #2
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default Malicius action detected

    My computer had been very slow and bringing pop ups regarding dlls. Please help

    Active scan log:

    Incident Status Location

    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcywxu.dll
    Adware:adware/gator Not disinfected c:\GatorPatch.log
    Adware:adware/toprebates Not disinfected c:\program files\WebSavingsfromEbates
    Adware:adware/blazefind Not disinfected c:\program files\WindowsSA
    Adware:adware/dyfuca Not disinfected Windows Registry
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.doubleclick.net/]
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\backups\backup-20070405-205218-787.dll
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\VundoFix\VundoFix\process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\VundoFix.exe[process.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018738.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018755.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018756.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018757.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018758.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018759.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018767.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018768.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018769.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018770.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018771.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018783.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018784.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018792.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018794.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018795.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018806.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018807.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018811.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018812.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018814.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018816.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP444\A0018821.DLL

  3. #3
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default Malicius action detected

    Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018846.exe
    Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018847.exe
    Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018848.exe
    Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018852.exe
    Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP454\A0020299.exe
    Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP454\A0020301.exe
    Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP456\A0020393.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022872.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
    Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
    Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\system32\dpxicinb.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqpnkh.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wkdjhmjm.dll
    Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
    Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
    Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll

  4. #4
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default Malicius action detected

    HJT log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:48:57 PM, on 4/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B3E979F-85F3-40AA-8B9F-3FD1EE32B76C} - C:\WINDOWS\system32\mlljh.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\dpxicinb.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: ddcywxu - C:\WINDOWS\SYSTEM32\ddcywxu.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


    Thank you


    "BEFORE you POST"
    Last edited by tashi; 2007-04-07 at 02:36. Reason: Four topics merged, please hit Reply and not Start new topic. ;) Added link.

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to the forum, this is a Vundo infection but first I have to say your System Restore files are totally infected. DO NOT use System Restore for any reason, until we clean it.

    Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
    Since there is a class action involving this one, you may want to view this information:
    http://www.networkworld.com/news/200...-unravels.html

    Thanks to Atribune and any others who helped with this fix.

    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    If there is a file VundoFix doesn't find we need it submitted. Please submit
    the files to upload malware http://www.uploadmalware.com

    Use Post Reply, DO NOT start new topics.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default

    Thank you for your help.

    VundoFix.txt---->

    VundoFix V6.3.19

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 4:27:19 PM 4/10/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ccbeg.bak1
    C:\WINDOWS\system32\ccbeg.ini2
    C:\WINDOWS\system32\ccbeg.tmp
    C:\WINDOWS\system32\ddcywxu.dll
    C:\WINDOWS\system32\gebcc.dll
    C:\WINDOWS\system32\mjmhjdkw.ini
    C:\WINDOWS\system32\wkdjhmjm.dll
    C:\WINDOWS\system32\xvkmpogt.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ccbeg.bak1
    C:\WINDOWS\system32\ccbeg.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ccbeg.ini2
    C:\WINDOWS\system32\ccbeg.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ccbeg.tmp
    C:\WINDOWS\system32\ccbeg.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddcywxu.dll
    C:\WINDOWS\system32\ddcywxu.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\gebcc.dll
    C:\WINDOWS\system32\gebcc.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mjmhjdkw.ini
    C:\WINDOWS\system32\mjmhjdkw.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wkdjhmjm.dll
    C:\WINDOWS\system32\wkdjhmjm.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xvkmpogt.dll
    C:\WINDOWS\system32\xvkmpogt.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ddcywxu.dll
    C:\WINDOWS\system32\ddcywxu.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    -----------------------

    Hijackthis---->

    Logfile of HijackThis v1.99.1
    Scan saved at 6:17:57 PM, on 4/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\Cleaning files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\xvkmpogt.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {8FD27C64-134F-4115-9BE4-FA23DDAA3C3B} - C:\WINDOWS\system32\gebcc.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll (file missing)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    Thank you again!

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information. You have called the folder where HJT stores the program and backups, "Cleaning files". That is fine as long as you store NOTHING else in that folder. If you need to store other stuff in that folder, create a new folder for HJT. I suggest C:\HJT\HijackThis.exe

    You have an old version of Java on the computer, see this:
    http://forums.spybot.info/showpost.p...80&postcount=2
    Download the newest version and uninstall all old versions in Add Remove Programs.


    Follow the directions carefully and in the posted order.

    1) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    2) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    3) Spyware Doctor: From within Spyware Doctor, click the "OnGuard" button on the left side. Uncheck "Activate OnGuard". Make sure it has reactivated when you reboot.

    4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\xvkmpogt.dll (file missing)
    O2 - BHO: (no name) - {8FD27C64-134F-4115-9BE4-FA23DDAA3C3B} - C:\WINDOWS\system32\gebcc.dll (file missing)
    (the next is damaged and not working right if at all. If you use it install it again when we finish)
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll (file missing)
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    5) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\system32\wkdjhmjm.dll <<< delete that file

    6) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    7) MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    Restart the computer and run a new Active scan log and post it along with a new HJT log and any comments you think will help.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default

    Hello, thanks again for your help. As a comment, I cant tell you that I dont have any more pop-ups regarding the malicious action but the computer is still a lot slower that it was before the infection.

    The ActiveScan log--->

    Adware:adware/gator Not disinfected c:\GatorPatch.log
    Adware:adware/toprebates Not disinfected c:\program files\WebSavingsfromEbates
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt[.doubleclick.net/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt[.burstnet.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.doubleclick.net/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.terra.com.br/]
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.target.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.burstnet.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.terra.com.br/]
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.target.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.burstnet.com/]
    Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-1220945662-764733703-682003330-1003\Dc1\backup-20070405-205218-787.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-1220945662-764733703-682003330-1003\Dc1\backup-20070409-133907-889.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018738.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018755.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018756.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018757.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018758.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018759.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018767.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018768.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018769.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018770.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018771.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018783.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018784.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018792.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018794.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018795.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018806.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018807.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018811.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018812.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018814.DLL
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018816.exe
    Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP444\A0018821.DLL

  9. #9
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default

    continues.....

    Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018852.exe
    Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP456\A0020393.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022872.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
    Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
    Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
    Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
    Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ddcywxu.dll.bad
    Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wkdjhmjm.dll.bad
    Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
    Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
    Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
    Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
    Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Location
    Wisconsin
    Posts
    12

    Default

    And finally the HJT log--->

    Logfile of HijackThis v1.99.1
    Scan saved at 2:54:22 PM, on 4/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\Cleaning files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    Ill wait for your commentaries.

    Thank you

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •