Results 1 to 10 of 46

Thread: Similar Problem again !!!

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member
    Join Date
    Nov 2006
    Posts
    51

    Default Similar Problem again !!!

    I have somehow picked a what i suspect to be malware...and i am not sure where i got it from...however i suspect it was from a spam mail....anyway here is my HJT.LOG

    And my windows security centre is messed up.

    please help.

    Logfile of HijackThis v1.99.1
    Scan saved at 19:44:26, on 2006-12-20
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\msasvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\pctspk.exe
    C:\Program\Synaptics\SynTP\SynTPLpr.exe
    C:\Program\Synaptics\SynTP\SynTPEnh.exe
    C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Washer\Formdata.exe
    C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program Files\Webroot\Washer\Formdata.exe
    C:\Program\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\HJT\HJT.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
    O2 - BHO: (no name) - {EBB43D15-C602-4AFB-9BF8-B29727479A84} - C:\WINDOWS\system32\mlljk.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program\Delade filer\Real\Update_OB\RealOneMessageCenter.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
    O20 - Winlogon Notify: efcdbby - C:\WINDOWS\SYSTEM32\efcdbby.dll
    O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  2. #2
    Retired Security Volunteer
    Join Date
    Dec 2006
    Posts
    752

    Default

    Hi, welcome to Spybot Forum!

    *Please download VundoFix.exe to your Desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES.
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


    *Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    On your next reply, please include a fresh HijackThis log, SDfix log and the vundofix log.
    AngelFire777

    Proud member of UNITE and ASAP since 2006.

  3. #3
    Member
    Join Date
    Nov 2006
    Posts
    51

    Default

    SDFix: Version 1.51
    ****************

    2006-12-22 - 14:03:45,52

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Stage One - Safe Mode

    Checking Services...

    Service Name:

    MsaSvc

    File Path:

    C:\WINDOWS\system32\msasvc.exe

    MsaSvc Deleted...

    Starting Registry Repairs...


    Restoring Default Hosts File...

    Stage One Complete

    Rebooting...

    Stage Two - Normal Mode

    Checking For Malware:
    --------------------

    C:\WINDOWS\system32\msasvc.exe
    C:\WINDOWS\Temp\win1.tmp
    C:\WINDOWS\Temp\win10.tmp
    C:\WINDOWS\Temp\win11.tmp
    C:\WINDOWS\Temp\win12.tmp
    C:\WINDOWS\Temp\win13.tmp
    C:\WINDOWS\Temp\win14.tmp
    C:\WINDOWS\Temp\win15.tmp
    C:\WINDOWS\Temp\win16.tmp
    C:\WINDOWS\Temp\win17.tmp
    C:\WINDOWS\Temp\win18.tmp
    C:\WINDOWS\Temp\win19.tmp
    C:\WINDOWS\Temp\win1A.tmp
    C:\WINDOWS\Temp\win1B.tmp
    C:\WINDOWS\Temp\win1C.tmp
    C:\WINDOWS\Temp\win1D.tmp
    C:\WINDOWS\Temp\win1E.tmp
    C:\WINDOWS\Temp\win1F.tmp
    C:\WINDOWS\Temp\win2.tmp
    C:\WINDOWS\Temp\win20.tmp
    C:\WINDOWS\Temp\win21.tmp
    C:\WINDOWS\Temp\win22.tmp
    C:\WINDOWS\Temp\win23.tmp
    C:\WINDOWS\Temp\win24.tmp
    C:\WINDOWS\Temp\win25.tmp
    C:\WINDOWS\Temp\win26.tmp
    C:\WINDOWS\Temp\win27.tmp
    C:\WINDOWS\Temp\win28.tmp
    C:\WINDOWS\Temp\win29.tmp
    C:\WINDOWS\Temp\win2A.tmp
    C:\WINDOWS\Temp\win2B.tmp
    C:\WINDOWS\Temp\win2C.tmp
    C:\WINDOWS\Temp\win2D.tmp
    C:\WINDOWS\Temp\win2E.tmp
    C:\WINDOWS\Temp\win2F.tmp
    C:\WINDOWS\Temp\win3.tmp
    C:\WINDOWS\Temp\win30.tmp
    C:\WINDOWS\Temp\win31.tmp
    C:\WINDOWS\Temp\win32.tmp
    C:\WINDOWS\Temp\win33.tmp
    C:\WINDOWS\Temp\win34.tmp
    C:\WINDOWS\Temp\win35.tmp
    C:\WINDOWS\Temp\win36.tmp
    C:\WINDOWS\Temp\win37.tmp
    C:\WINDOWS\Temp\win38.tmp
    C:\WINDOWS\Temp\win39.tmp
    C:\WINDOWS\Temp\win3A.tmp
    C:\WINDOWS\Temp\win3B.tmp
    C:\WINDOWS\Temp\win3C.tmp
    C:\WINDOWS\Temp\win3D.tmp
    C:\WINDOWS\Temp\win3F.tmp
    C:\WINDOWS\Temp\win4.tmp
    C:\WINDOWS\Temp\win40.tmp
    C:\WINDOWS\Temp\win41.tmp
    C:\WINDOWS\Temp\win42.tmp
    C:\WINDOWS\Temp\win43.tmp
    C:\WINDOWS\Temp\win5.tmp
    C:\WINDOWS\Temp\win6.tmp
    C:\WINDOWS\Temp\win7.tmp
    C:\WINDOWS\Temp\win8.tmp
    C:\WINDOWS\Temp\win9.tmp
    C:\WINDOWS\Temp\winA.tmp
    C:\WINDOWS\Temp\winB.tmp
    C:\WINDOWS\Temp\winC.tmp
    C:\WINDOWS\Temp\winD.tmp
    C:\WINDOWS\Temp\winE.tmp
    C:\WINDOWS\Temp\winF.tmp
    C:\WINDOWS\Temp\winFC.tmp
    C:\WINDOWS\Temp\winFD.tmp
    C:\WINDOWS\Temp\winFE.tmp
    C:\WINDOWS\Temp\winFF.tmp

    Backing Up and Removing any Files Found...

    Alternate Stream Check:

    C:\WINDOWS\system32
    No streams found.
    Final Check:

    Services:
    ---------

    Rootkit PE386 Found!. Rootkit scan Needed...

    Authorized Applications Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    Files:
    ------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking for files with Hidden Attributes:

    C:\WINDOWS\SYSTEM32\awvst.dll
    C:\WINDOWS\SYSTEM32\efcdbby.dll
    C:\WINDOWS\SYSTEM32\nnlml.dll
    C:\Program\Messenger\msmsgs.exe
    C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
    C:\WINDOWS\SYSTEM32\logonui.exe.manifest
    C:\IO.SYS
    C:\MSDOS.SYS
    C:\pagefile.sys
    C:\Program Files\InterActual\InterActual Player\iti2A.tmp
    C:\WINDOWS\Temp\$_2341235.TMP

    FINISHED!

  4. #4
    Member
    Join Date
    Nov 2006
    Posts
    51

    Default

    VundoFix V6.2.13

    Checking Java version...

    Sun Java not detected
    Scan started at 13:43:38 2006-12-01

    Listing files found while scanning....

    C:\WINDOWS\SYSTEM32\mljgf.dll
    C:\WINDOWS\SYSTEM32\fgjlm.ini
    C:\WINDOWS\SYSTEM32\fgjlm.bak1
    C:\WINDOWS\SYSTEM32\fgjlm.bak2
    C:\WINDOWS\SYSTEM32\fgjlm.ini2
    C:\WINDOWS\SYSTEM32\fgjlm.tmp
    C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\SYSTEM32\fgjlm.ini
    C:\WINDOWS\SYSTEM32\fgjlm.bak1
    C:\WINDOWS\SYSTEM32\fgjlm.bak2
    C:\WINDOWS\SYSTEM32\fgjlm.ini2
    C:\WINDOWS\SYSTEM32\fgjlm.tmp
    C:\WINDOWS\system32\fgjlm.ini
    C:\WINDOWS\system32\fgjlm.bak1
    C:\WINDOWS\system32\fgjlm.bak2
    C:\WINDOWS\system32\fgjlm.ini2
    C:\WINDOWS\system32\fgjlm.tmp

    Beginning removal...

    Attempting to delete C:\WINDOWS\SYSTEM32\mljgf.dll
    C:\WINDOWS\SYSTEM32\mljgf.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini
    C:\WINDOWS\SYSTEM32\fgjlm.ini Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak1
    C:\WINDOWS\SYSTEM32\fgjlm.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak2
    C:\WINDOWS\SYSTEM32\fgjlm.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini2
    C:\WINDOWS\SYSTEM32\fgjlm.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.tmp
    C:\WINDOWS\SYSTEM32\fgjlm.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\mljgf.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.2.13

    Checking Java version...

    Sun Java not detected
    Scan started at 14:03:14 2006-12-01

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.2.13

    Checking Java version...

    Sun Java not detected
    Scan started at 01:22:02 2006-12-19

    Listing files found while scanning....

    C:\WINDOWS\SYSTEM32\windmh32.dll

    VundoFix V6.2.13

    Checking Java version...

    Sun Java not detected
    Scan started at 15:20:20 2006-12-19

    Listing files found while scanning....

    C:\WINDOWS\system32\jkkji.dll
    C:\WINDOWS\system32\ijkkj.ini
    C:\WINDOWS\system32\ijkkj.bak1

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jkkji.dll
    C:\WINDOWS\system32\jkkji.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\ijkkj.ini
    C:\WINDOWS\system32\ijkkj.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
    C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jkkji.dll
    C:\WINDOWS\system32\jkkji.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ijkkj.ini
    C:\WINDOWS\system32\ijkkj.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.2.13

    Checking Java version...

    Sun Java not detected
    Scan started at 12:55:15 2006-12-22

    Listing files found while scanning....

    C:\WINDOWS\system32\mlljk.dll
    C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak2

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\mlljk.dll
    C:\WINDOWS\system32\mlljk.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\kjllm.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kjllm.bak2
    C:\WINDOWS\system32\kjllm.bak2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\mlljk.dll
    C:\WINDOWS\system32\mlljk.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

  5. #5
    Member
    Join Date
    Nov 2006
    Posts
    51

    Default

    Logfile of HijackThis v1.99.1
    Scan saved at 14:31:32, on 2006-12-22
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program\Synaptics\SynTP\SynTPLpr.exe
    C:\Program\Synaptics\SynTP\SynTPEnh.exe
    C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\MSN Messenger\MsnMsgr.Exe
    C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe
    C:\HJT\HJT.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5B034173-5390-4C1A-811E-531CC979B131} - C:\WINDOWS\system32\awvst.dll
    O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
    O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  6. #6
    Retired Security Volunteer
    Join Date
    Dec 2006
    Posts
    752

    Default

    Configure your machine to view hidden files:

    Windows XP
    • Click Start.
    • Open My Computer..
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the "Hidden files and folders" heading select Show hidden files and folders.
    • Uncheck the Hide Protected Operating System Files Option.
    • Click Yes to confirm.
    • Click OK.

    I want you to please submit some files HERE for experts to take a look at..

    Fill in the information needed in the appropriate boxes..

    Under "Topic Where File Was Requested:" copy and paste this: http://forums.spybot.info/showthread...9414#post59414

    Under the "files to submit," on the first box, click browse then navigate to this file: C:\WINDOWS\system32\awvst.dll
    Hit open.

    Finally, click the "Send file" button on the bottom part of the page.

    ___________________________


    *Download
    http://www.uploads.ejvindh.net/rustbfix.exe
    ...and save it to your desktop.

    Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.


    *Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
    • Copy&Paste the 2 entries below into the top 2 boxes.

      • C:\WINDOWS\system32\awvst.dll
      • C:\WINDOWS\SYSTEM32\tsvwa.*

    • Click Add Files and click Close Window.
    • Click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES.
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


    *Run AVG Anti-Spyware
    • From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
    • After the update finishes (the status bar at the bottom will display "Update successful")
    • Exit AVG Anti-Spyware. DO NOT scan yet.


    *Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

    O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
    O2 - BHO: (no name) - {5B034173-5390-4C1A-811E-531CC979B131} - C:\WINDOWS\system32\awvst.dll
    O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
    O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
    O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
    O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
    O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)


    Close your browsers and all open windows except for HijackThis, then click "Fix checked".


    *Open notepad.
    Copy and paste the text inside the Code Box below into Notepad
    Choose File > Save As and under "Save as type", choose "All Files".
    Type delservices.bat in the File name and save it to your desktop.

    Code:
    @echo off
    sc stop "COM+ Messages"
    sc delete "COM+ Messages"
    Do not use it yet!!


    *You may want to print these instructions here or save them in notepad since you'll work offline.

    Reboot into Safe Mode.

    To enter Safe Mode..

    Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

    *Locate delservices.bat on your Desktop and double-click on it.

    *Using Windows Explorer, find and delete these files:

    C:\WINDOWS\system32\ibgiyhbp.dll
    C:\WINDOWS\Downloaded Program Files\fcplugin.dll
    C:\WINDOWS\system32\win_i.dll
    C:\WINDOWS\system32\windmh32.dll
    C:\WINDOWS\SYSTEM32\efcdbby.dll
    C:\WINDOWS\SYSTEM32\nnlml.dll
    C:\WINDOWS\system32\svchosts.exe <<Important!: There is a legit file called svchost.exe present in the same folder as the infected file. The infected file that we want to delete is svchosts.exe , please be careful in deleting the file.

    Empty your recycle bin.

    *Please run AVG AntiSpyware, and run a full scan as follow:

    IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
    • Launch AVG AntiSpyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
    • Close AVG AntiSpyware.
    • Reboot to normal mode.


    *On your next reply, please post the contents of C:\avenger.txt & C:\rustbfix\pelog.txt , C:\vundofix.txt , AVG Antispyware log, and a fresh HijackThis log.
    AngelFire777

    Proud member of UNITE and ASAP since 2006.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •