-
Need help plz!
I have this 2 malwares spybot found!
Command Service and Network Monitor which I can't remove with the "fix selected problems" button!!
BTW I'm typing this on my laptop, cuz on my computer when I open IE it opens a lot of pop ups.
The HJT file which I'm moving with USB is
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\SFVJTk9ORyBFTkc\command.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Link...8&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SFVJTk9ORyBFTkc\command.exe
Plz help
-
Ahhh It's not only 2 it's 3! and gave 1 wrong one, my apologies...
Command Service, Smitfraud-C.CoreService, and Virtumonde
-
Help again
Ahhh! This is a second thread I'm posting, because some strange stuff happened the day I posted the first thread where I couldn't get rid of Command Service, then I woke up the next morning and ran S&D and it gave me a new file called something like... LLS (command search and the other one wasn't found) Fixed it and then opened IE and there was something I hadn't seen called "Security Toolbar 7.1"
New HJT log (Sorry >.<)
Logfile of HijackThis v1.99.1
Scan saved at 6:39:05 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Link...8&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {0de3c16c-a6a5-cd59-6484-bdb34a4ffdd4} - {4ddff4a4-3bdb-4846-95dc-5a6ac61c3ed0} - C:\WINDOWS\system32\bmekfyri.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\opnolkj.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jewiinpb.dll
O2 - BHO: (no name) - {BBABD837-4E17-413A-9082-D8F0BEE56B18} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jewiinpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [a0423165] rundll32.exe "C:\WINDOWS\system32\uduqinno.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jewiinpb - C:\WINDOWS\SYSTEM32\jewiinpb.dll
O20 - Winlogon Notify: opnolkj - C:\WINDOWS\SYSTEM32\opnolkj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-
Hello holyspecter
Welcome to Safer Networking.
Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
Reply to this thread only please and do not start any new topics or your posts will be all over the forum and we wont be able to keep track of you.
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.
* Click here to download FindAWF.exe and save it to your desktop.
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
- It may take a few minutes to complete so be patient.
- When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
- Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
-
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2007-11-02
The current time is: 10:37:17.29
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28172 Oct 2 2007 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
28172 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 2 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
188 Oct 2 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
28172 Oct 2 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
28172 Oct 2 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
28172 Oct 2 2007 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
28172 Oct 2 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
-
Hello Again,
Your also infected with the Vundo trojan, we will do that after we clean this up.
Double-click FindAWF.exe to start the tool.
* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
-
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2007-11-02
The current time is: 19:30:28.54
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
98304 Sep 20 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
179 Oct 25 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
Did all that
-
Moving along,
Double-click FindAWF.exe to start the tool.
* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
C:\hp\KBD\KBD.EXE\bak
C:\Program Files\QuickTime\qttask.exe\bak
C:\WINDOWS\SMINST\RECGUARD.EXE\bak
C:\WINDOWS\system\hpsysdrv.DAT\bak
C:\WINDOWS\system\hpsysdrv.exe\bak
C:\WINDOWS\system32\hkcmd.exe\bak
C:\WINDOWS\system32\hphmon05.exe\bak
C:\WINDOWS\system32\igfxpers.exe\bak
C:\WINDOWS\system32\igfxtray.exe\bak
C:\WINDOWS\system32\ps2.exe\bak
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe\bak
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe\bak
C:\Program Files\Common Files\Real\Update_OB\realsched.exe\bak
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Download: DelDomains and save it to the desktop.
- Close all open windows and your browser
- Right Click DelDomains.inf and select > Install
- Reboot your computer
Internet Explorer is needed to run this properly.
Download VundoFix to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
I need to see the AWF log, the Vundo log and a New HJT log please
-
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2007-11-02
The current time is: 23:28:32.90
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
98304 Sep 20 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
179 Nov 2 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
Also, do this trojans I have log info I type?
-
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 23:36:32 2007-11-02
Listing files found while scanning....
C:\windows\system32\icvpnkar.dll
C:\WINDOWS\system32\jewiinpb.dll
C:\windows\system32\opnolkj.dll
Beginning removal...
Attempting to delete C:\windows\system32\icvpnkar.dll
C:\windows\system32\icvpnkar.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jewiinpb.dll
C:\WINDOWS\system32\jewiinpb.dll Has been deleted!
Attempting to delete C:\windows\system32\opnolkj.dll
C:\windows\system32\opnolkj.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
