• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

possible smitfraud problem

X

xtophe

New member
Hello,

I am new to this forum, I detect a possible smitfraud problem on my computer and I am triying to get rid of it.
could anyone help me out?
thanx

I have run a hijack this, and here is the log:



Logfile of HijackThis v1.99.1
Scan saved at 21:39:53, on 03/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\trdihwfv.dll",setvm
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
Last edited by a moderator:
Hi xtophe

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
 
New HJT log

Hello Shabba,

Since yesterday, i have installed demo version of kaspersky who found lots of probleme type: mainly Win32.Sality.l
Cannot add or suppress any programe since my rundll32.exe is accessible.
I am not shure how long I will be able to use this computer, but I am folowing forum on a apple mac.

Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 16:12:51, on 04/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O2 - BHO: (no name) - {D4570042-A7EF-4772-8BC8-6D090F0A5532} - C:\WINDOWS\System32\hgdab.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: hgdab - C:\WINDOWS\System32\hgdab.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
Hi

If you have sality, let's run first panda online scan:

Please run this online scan:

Panda ActiveScan

  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log
 
Panda scan report and new HJT log

Hello Shaba,

Sory for mispelling your name in my first E-mail.
I did the pand scan, ( it took for ever, and only works using IE)

Here is the Panda report, and fresh HJT log:

PANDA:

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.toplist.cz/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.xiti.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.xiti.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adtech.de/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.drivecleaner.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Christophe Chaverou\Bureau\TELECHARGEMENTS\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@atdmt[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@bluestreak[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@stats1.reliablestats[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Christophe Chaverou\Local Settings\Temp\aaugdshb.dll
Virus:W32/Sality.O Disinfected C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
Virus:W32/Sality.O Disinfected C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

-------------------------------------------------------------------------
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 23:56:43, on 04/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O2 - BHO: (no name) - {D4570042-A7EF-4772-8BC8-6D090F0A5532} - C:\WINDOWS\System32\hgdab.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner] C:\WINDOWS\System32\ACTIVE~1\pavdr.exe C:\WINDOWS\System32\pavdr_actions.sys
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: hgdab - C:\WINDOWS\System32\hgdab.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)


thank you,
Xtophe.
 
Hi

Next step is then to update your Windows before we do anything else.

You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=fr

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
 
Not able to install SP1

Shaba,

I've downloaded the SP1, but the installer failled to install the SP1: "An error occur while assistant tried to download SP1 Files".
I've tried several times without any succes.
I've tried to desactivate Kaspersky. no result.
Tried to find a way to install SP1 without connection to internet as the it was suggested, but without any succes....
What can i do?
 
more Questions

Shaba,

Since i Have this computer, I have been trying to stay away from using any microsoft programs, I use Mozilla as a navigator, not IE and I have run win anti-spy witch turns off outlook , msn etc ... This is probably why i have never done any updates ...
I am saying this because while trying to do the update as you suggested, but without succes for some odd reason, it seams that the service pack1 and windows update will give me the latest versions of these programes wich i do not use....
Is this true? I bet I Am missing something....?

In the same Time, I am still not able to tell you wich version of XP i am running, since
Windows still cannot find rundll32.exe and does not allow me to use control panel and stop the acces to other informations ....
 
SP1 ok and windowsupdate successful

Shaba,

After reboot, I was able to install Sp1a and download and install all windows update.
After reboot, I know have a pure blue screen only after login??/?
The only tool that seam to work is the task manager wich alowed me to run a fresh HJT and open a firefox window for me to send you this thread.
Please help!!!

Here is the fresh HjT log:

Logfile of HijackThis v1.99.1
Scan saved at 14:19:13, on 05/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
Hi

As for rundll32.exe, try to download it from here and unzip it to C:\windows\system32.

Control panel shoud work after that.

Also, do this:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
VundoFix.txt and other information

Shaba,

For information, i do not have acces to my desktop ... my screen is blue and no windows or menu or icon are visible, the only acces i have is through the task manager window.

I have downloaded the rundll32.exe but am not able to unzipit to C:/windows/system32/ I get this message:
Impossible to find rundll32.exe, this program is needed to complete ....

I have downloaded vundo and run it fine.
you will fond below the vundofix.txt and new HJT log

VUNDO:


VundoFix V6.3.5

Checking Java version...

Java version is 1.4.2.6

Scan started at 17:40:39 05/02/2007

Listing files found while scanning....

C:\WINDOWS\System32\badgh.bak1
C:\WINDOWS\System32\badgh.bak2
C:\WINDOWS\System32\badgh.ini
C:\WINDOWS\System32\badgh.ini2
C:\WINDOWS\System32\badgh.tmp
C:\WINDOWS\System32\gatwewfn.dll
C:\WINDOWS\System32\hgdab.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\badgh.bak1
C:\WINDOWS\System32\badgh.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.bak2
C:\WINDOWS\System32\badgh.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.ini
C:\WINDOWS\System32\badgh.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.ini2
C:\WINDOWS\System32\badgh.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.tmp
C:\WINDOWS\System32\badgh.tmp Has been deleted!

Attempting to delete C:\WINDOWS\System32\gatwewfn.dll
C:\WINDOWS\System32\gatwewfn.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgdab.dll
C:\WINDOWS\System32\hgdab.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 18:01:30, on 05/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - C:\WINDOWS\System32\hgdab.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll (file missing)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
rundll32.exe

Shaba,
I have been able to unzip the file to proper location throught.
Still no desktop thought or acces to control panel...
let me know the next step.
Thank you again for helping me out,
greatly appreciated.
Xtophe.
 
Hi

Can you do this?

Go to task manager, there file> new task> explorer> ok

And tell if it helped :)
 
Last edited:
explorer ...

Shaba,

I cannot get to it and i don't have acces to search fonction.
Do you know the path to explorer?
I've tried in C:/Programfiles
and in C:/Windows/
But it is to vast to explore for me!!!
thanx again for tips.
 
Hi

I think that explorer.exe might could have been infected with sality and that's why may not exist :(

Try these instructions (from If there is a Windows 95 version of the Explorer.exe file in the Windows NT folder, follow these steps:
Step 5. isn't necessary)

Did it help?
 
More on explorer

Shaba,

Does not help, I am not able to find any explorer file, neither do I have a c:\winnt folder ...
Or Am I doing anything wrong?
 
explorer again

Would it help if i was able to find an original WinXP cd ?
I dont have any becaus my computer was setup already when I got it, but i am pretty sure I could find a winXp cd from someone arroud....
 
Hi

Like I said, follow instructions starting from "If there is a Windows 95 version of the Explorer.exe file in the Windows NT folder, follow these steps:" but not the step 5 :)
 
Cannot remenber dos language ...

Hello Shaba,

I am not able to folow direction:
How do I go to the CD-ROM directory?
Cant remenber the dos command
Then how do I expand the explorer.exe and from wich directory since the CD is Win XP and Not Win NT ???
Sory, looks like i need to be taken by the hand here...
Xtophe
 
You must log in or register to reply here.
Back
Top